> unless the Debian packager somehow provides negative QA, which seems unlikely

It has happened before. Last time there was anything major was over a decade ago though.

https://lists.debian.org/debian-security-announce/2008/msg00...