It supports them by creating its own private key and signing them on your system. That's inherently incompatible with only trusting modules from your distro vendor.

You are right only the distro's build servers would be able to use DKMS as the distro couldn't ship the private key.

That's fundamentally not how DKMS works.