The current Go module design and implementation targets small Go projects.
Small project direct integration pipeline
Those projects consume raw unchanged third party projects, and rely blindly on the QA done by those other projects. Their only needs are to download those projects, check they’ve not been tampered with (via notaries), regularly check for updates.
Small project code supply chain:
third party code ↓