At a certain point it does come down to trust. From the position of a potential attacker, you can't just upload a randomly built thing to the official CentOS or Debian repositories and expect it to be made available to the rubes.
Very different than people downloading and trusting random Docker images.
I'd say there is a difference of using official Docker images (from the software vendor) vs images from a random person.
Official images exist for most popular packages, under a separate namespace and usually have checksums published etc.