The amount of malware you can cram in a source-code patch without drawing attention vs. in a binary is vastly different.
There's also the fact that if you want to ship binaries, you can just wget them from source during the build process. Not a perfect solution but much better than what's ventoy doing. The source code updates works the same in every project because it has to. That's why this is drawing more attention.
Yep, some people these are saying just 7 of the 150 binaries don't have source or build info. Yeah, one binary is enough to do all the evil in the world, not that other binaries support reproducible builds anyway.
I mean, assuming you're telling the truth about there being a competent group seriously attempting this, it's still "trust us bro" to conclusively claim it can't be achieved without providing a shred of evidence. This makes your original comment irrelevant and worthless.
It matters because nobody is going to check the hashes for all of the files match whenever there's a change so the maintainer can just replace them with whatever he wants.