That is correct but it's a slightly different threat model that I don't want to tackle here.
I'm not going to make claims that a developer would maliciously embed code into their own product but I do care about the quality of their code and their security practices at large (specifically how secure is their code promotion and binary distribution supply chain).
What does it change if you have an c53 audit of Version 1.0.0 and 1.0.1 has malicious code?