... but it still has a better chance of getting caught more quickly, I think.
I think that's generally right. That's why I'm happy with apt-get stable debian, perhaps the safest around. Once we start after the most current, or allow 'user content' or ppa's, or encourage something idiotic like flatpacks, trust ends. Even compiling from source is suspect, like you actually reviewed the code. I did say a user click. Look how stuff is getting into android. Once 'stable' is extended into 'want' we let our guard down.
I'm aware of the propriety pdf stuff. It's sad the government is so stupid in it's conflicts of interest. I'm still amazed some states went through the silverlight phase. It just proves most aren't paying attention..
Since the potential audience (target) was tiny in this case I suspect a grey hat demonstration.