You should basically assume that nothing is safe, which doesn’t work well either.
Just a few days ago it came to light that one of the developers behind some ESLint Prettier package’s NPM account was compromised and they published new compromised versions of some popular packages:
These packages were then referenced in other packages, because many claim that you should always update to the latest versions.
After I saw this thread I suggested a feature to introduce signature validation of plugins/theme components while updating them: Plugin and theme component signing
That would not stop a compromised key, but at least make part of the supply chain more trustworthy. In the end it is still possible that compromised third party libraries are pulled in. Additional dependencies are not really visible.