This thread starts to pop up in my unread list too often and I think that it is unnecessary.
There are two radically different and may it be contradicting objectives.
If you buy supported system, pay for support or use community driven (and financed by you or others) system/distribution and care at least a little about security then you want to be ensured that somebody has done review of the software you use and signed it by really hard to falsificate electronic signature that it is safe to use. If you buy from Purims and believe in their good intentions and security procedures then you install software from repositories they offer and are signed by their key. You, in theory, should be extra careful that initial keys received with computer or installed by initial system download are not modified. Purism provides extra options to ensure keys delivery… If you take care and check keys against published ones on their web and key rings servers etc, then it is relatively safe as well. As for the applications, Purism approves only these which are really fully open-source so you can check for malicious behavior yourselves a or can hope that even somebody else looking into sources found find the risk. You can pay for analysis and thanks to reproducible builds you can then check actual packages. But be prepared that security assessments are really expensive. Because OpenSSL is critical, there are many studies paid by big players, random link, it would be in range of ten million dollars for the work and more.. You benefit from these investments etc…
So this is the gain if you use distribution as designed.
If you want to use some other software out of default repositories, then you can look for some serious provider for your operating system family. For Debian flavor, you can add another repository to APT sources list. Then you should obtain and add the signing key of the vendor and check that you can really trust to it. You will see available software and updates in management tools as Synaptic, Aptitude etc. I understand that you are probably desktop user used for point ant click system maintenance. Most people on this forum are probably of different attitude, I want to use procedures which can be repeated, automated and solved on many systems which I need to take care of remotely. So this is why there are suggestions for reproducible use of terminal tools. You have no problem to repeat steps reproducible, search reported errors on the Web etc. I hate reports from my students and users when thy send blurry mobile photo or screenshot. Providing manuals and document step for graphical tools is nightmare as well. But yes, for end user and many tasks has graphical interface advantages…
If the application vendor does not provide correct distribution procedure with repo then you have option to download package (think about it as Windows MSI and it is still at least visible in managers and with option to cleanly uninstall), or directly download binary and mess with the system without recorded way how to uninstall. Yet next level is to build package yourself. I have local Debian repo and repo on server for students and a university labs computers etc.. So again fully maintainable etc… even for packages which are not packaged for my distro. Development ones, I install with /opt/sw_name during development. So no mess which I know from Windows.
I would like to know your practice on WIndows. If you locate software by Google and then install it from the link found then I expect that it is very high risk. Yes it is easy and comfortable. If it is MSI, it is signed, but you have no guarantee from it, it only proves that somebody paid to obtain software signing keys and have to trust that no trusted certificate authority has not signed certificate to somebody with malicious intention. You cannot check or pay someone to check whole sources etc. It is complete nightmare and development is as well (I know stories from my colleague solving signing of drivers we develop even for Windows)…
So I suggest to ordinary Windows users at least pay some part of the comfort and when usually standard functionality found in each Linux distribution is missing on Windows then locate given community developed software (even by Google) then try to find given project on Wikipedia, take link back to the project from the Wikipedia and then locate on the official site download section for Windows. I know that from security practice point it is still banned way but I hope that the risk is much smaller than random link from search engine. I believe that given software page on Wikipedia is visited often by knowledge people who would notice link change as well as report that project has been hijacked, stolen, transferred to some not so well behaving entity. But I consider still as the best practice to stay away from Windows entirely…
Please, consider to think about security, comfort, remote manageability etc. and ask for suggestions and good practices. But repeated rant about system not fitting your idea how it should work starts to be waste of time. And yes, if you are comfortable with Windows, stay with it. By the way, if you start to celebrate Microsoft technology, consider the first that they suppressed TCP/IP and when it was inevitable grabbed BSD TCP/P stack, then they tried to change HTTP standard to be unusable for all others and at the end they grab for free KHTM, Safari, Chrome development result and build closed Teams and edge from it. Same for many other technologies. So even if you use Windows you have no reason to derail people working on sound and free technologies to do the work which they like, you would need it daily.