I use apt and dnf. They all do some form of verification. Verifying repo pubkeys UX is bad, and there is no second layer of defence (e.g. malware makes it into a repo, not uncommon)