With most package managers you can review package sources (e.g. "choco info" for chocolatey or "brew info" / "brew edit" for homebrew).
As for threat model it comes down to whether using package management poses larger risk than doing everything manually and risking running a range of outdated packages.
As for threat model it comes down to whether using package management poses larger risk than doing everything manually and risking running a range of outdated packages.