Yes, but now only one place to get rekt - the source which (presumably) has tighter ACL than the package manager?

The old way had risk at two steps and now it's reduced 50%

On the contrary; repositories usually involve many people pushing to them, whereas a package release could be handled by just one person (with maybe one or two for backup).

Plus, what about package signing? If the released version comes directly from the repo, does that mean the final package isn't signed by a maintainer?

Since most source code will be maintained via Git, there's almost no security at all, since you can easily rewrite Git history.

Well. Depends, if your package Version links to a commit hash, you should be rather secure. One could delete it but not overwrite it as easily.

One could presumably push a new version, linked to a commit that contained (directly or as an ascendant) some malicious code.