It bears repeating explicitly I think: you're not working against today's analysis tools, you're working against whatever analysis tools exist far into the future, since everything is recorded for eternity.
I've seen the theme of "maintainer of popular open source product is threatened by person who doesn't understand it's just a component" show up a few times, but when I think about it most those times have been related to curl specifically. Maybe it's because of the domain haxx.se? Or maybe Daniel just writes about it a lot? Does this kind of thing happen so regularly to others?
Which food delivery apps do you have in mind? In my experience they are heavily engineered towards leaving only positive reviews, and as a result the range of scores is 4.0-5.0 rather than 1-5. Ubereats says things like "this review will be public with your name", and the timing of the review prompt and wording of the question all feels like it's trying to optimize the chance of a positive review.
To be fair, the number of times this type of error occurs due to a state-backed actor who's quietly hijacked the build system with an undetectable backdoor is low compared to the number of customers who see the error for some other reasons (bad download for example) - so it's not entirely surprising they'd give this advice.
It bears repeating explicitly I think: you're not working against today's analysis tools, you're working against whatever analysis tools exist far into the future, since everything is recorded for eternity.