"So you have to trust upstream as well."
No you don't. Source code is still available and the package can be modified and recompiled if necessary.
"So you have to trust upstream as well."
No you don't. Source code is still available and the package can be modified and recompiled if necessary.