You’re right to an extent, but there is nuance. No end user goes through the Debian repositories and checking the source code for each package by hand. You would be well within your rights to be annoyed if a rm -rf / got added into a script in the repos somehow. A level of trust somewhere is unavoidable for things to work smoothly.
Of course the difference in level of responsibility between core repos and random code pulled of github is vast.
Umatrix is great, you can configure it to automatically allow first party javascript, and if sites still dont work eneable bits until they do them lock those settings so the same bits will be enabled next time you’re on that site.