I think the premise is that since the xz vulnerability was discovered, social engineering was not thought of as a prominent attack vector of opensource security models. So, I think you're right, but I may be wrong!