They can almost-indetectably target an individual user or group of users at any point in time in the former case while the latter case would leave traces in e.g. git histories.

I trust Mozilla to write Firefox and I trust Debian to package it. I do not trust Mozilla to be trustworthy on a live and ongoing basis.