If you look at how GitHub operates wrt. GitHub releases or GitHub actions it becomes clear (to me) that they have very different standards to certain security aspects then me or e.g. project zero.

So I would argue it's a case about having less strict standards wrt. Security vulnerabilities which requir your to pull in corrupted (or very careless) 3rd party code.