The amount of malware you can cram in a source-code patch without drawing attention vs. in a binary is vastly different.
There's also the fact that if you want to ship binaries, you can just wget them from source during the build process. Not a perfect solution but much better than what's ventoy doing. The source code updates works the same in every project because it has to. That's why this is drawing more attention.
It matters because nobody is going to check the hashes for all of the files match whenever there's a change so the maintainer can just replace them with whatever he wants.