It's strange that the paper doesn't mention us considering that we have considerable expertise in this very area.
I'm thinking of the scenario where a bad actor takes over an existing library with the original owner's blessing, either by contributing and then taking on maintainership, or via payment to the original owner.
In that case ownership of signing keys may transition to the new owners voluntarily, so there would be no noticable change, in terms of signing of packages.
I mean, yes, but cryptography alone cannot solve that problem. TUF and in-toto provide cryptographic solutions to cryptographic problems, which is much more than anyone else is doing today.