PyPI is pretty best-in-class here and I think that they should be seen as the example for others to pursue.

The client side tooling needs work, but that's a major effort in and of itself.

A lot of dubious claims here.

1. "Most open source repositories do have eyes on the code"

Seems basically impossible that this is true.

"Debian often has separate maintainers who maintain patches specific to Debian." does not support the previous statement. Debian cherry picks patches, yes.

2. "It's not a coincidence that Linux distros are much less susceptible to malware in their official repositories."

Not only is it not a coincidence, it seems to not even be true.

3. "The play store will always have significant amounts of malware, so this entire conversation is moot."

This seems to just be "a problem can not be totally solved, therefor making progress on this problem is pointless to attempt". I... just reject this?

Not shilling, your points are just bad. I could just as easily say "You are one person who makes money, therefor you are always bad". Silly.

Your argument is basically "If the Android team cared about user safety then Google would shut down as a business to support them". It's nonsense.