Using a distro like nixos highers the bar for attackers since more eyes might be looking at upstream updates for malicious codes (not an obligation though).
Moreover, i don't know about nix but in the guix ecosystem there's the guix challenge command which enables to query different build servers for the same build hash so you don't have to build it yourself but can split trust among several trustworthy actors. So one build server getting compromised would quasi-instantly raise alarms.
Moreover, i don't know about nix but in the guix ecosystem there's the guix challenge command which enables to query different build servers for the same build hash so you don't have to build it yourself but can split trust among several trustworthy actors. So one build server getting compromised would quasi-instantly raise alarms.