Other than the very explicit tracking of the packages, their dependencies, the full build instructions, the public history, cryptographic signatures for the pre-built binaries, and the trivial ability for anyone to re-build from source and audit the entire chain all the way from bootstrap if they wished?
I’m not sure what golden standard we are comparing this to. It is not perfect, but I’d say this is a far more solid bedrock upon which to build software than anything else I’ve encountered.
There are no security implications other than those brought by the user. Freeze and host your own copies of libraries in an overlay (or write your own). The developer chooses which packages to use and from where, VERY explicitly and with a SHA which is far more secure than NPM for example (which is in production…everywhere)
Every nix package has to be signed in order for it to be installed via binary cache.
You can see exactly where everything's come from, using a command like:
nix-store --query --tree "$(nix-store --query --deriver "$(which python3)")"