> But until then, it remains at least plausible & in practice very likely that Nix is harder to exploit than alternate systems on a technical level.

Do people even read package derivations? Feels like it'd be easy to check in a derivation with an exploit.