Packages can get hijacked too.
What is the difference between a random website or domain, and the package manager of a major distribution, in terms of security? Is it equally likely they get hijacked?
The issue is not the package manager being hijacked but the package. And the package is often outside the "major distribution" repository. That's why you use curl | bash in the first place.
Your question does not apply to the case discussed at all, and if we modify it to apply, the answer does not argue your point at all.