No more scary than when you use apt on a debian machine to keep things up to date. However this time you have the added benefit of being able to rollback to a previous version of the software with the same ease and also of being able to trace the source of your software to a cryptographically verifiable entity.

I disagree. I actually know that debian's system:

1. Has a limited subset of people who can upload packages. Becoming one of these people is hard.

2. Has strict rules about package quality. A detected attempt to upload malicious package will cause uploader's privileges to be removed.

3. There a is trusted group of people who have the authority over all packages and who can remove the bad ones. Anyone can contact them and point out that the change is malicious, and they will listen.

4. There are enough people who look at the package changes who will detect malicious packages.

None of them are true for Chrome extensions / urbit code (unless there is something I have not noticed):

1. Anyone with (google account | urbit identity) can upload packages.

2. There are no rules about package quality (until recently, google support did not care about ad injectors for example).

3. There is no trusted third party to deal with bad packages (again, until recently google support did not care except for most obvious cases)

4. Since number of packages is so high, and it is for "everyone", most package changes will never be looked at.

All of your points in favor of debian's system really only apply if only use Debian's official package repositories. Something that you can absolutely do in Urbit as well. Nothing says you have to pull packages from every possible location out there. Urbit can absolutely have it's share of official repositories of applications with the same quality and safety guarantees that Debian has. And indeed many of the apps you get already come from a default official source. The star or galaxy you got your ship from.