The problem appears to be that updates to packages are put in a repository which is used by the released software which includes the tools for updating packages just like on almost every similar platform, creating a POLA violation.
This is made worse by the fact that most packages can be safely updated. I've been updating packages for years and only recently found one to be problematic (netifd).
Even worserer is that the idea of not updating packages only occurred to me when I came here and -after jumping all the hoops to find the forums, sign up, navigate to the right place, browse, find the relevant thread, find the relevant posts, try to check the authority of the poster, etc. - read a thread or two on the subject.
The best solution is not obvious, but as currently released and documented, it should be expected that all good admins will find out how to update and do so (and probably fix any problems they encounter while doing so). Some relevant discussion in Okpg upgrade safeguards?