My point wasn't about Ubuntu or not but rather about this so called "threat model" that is the reason behind the lack of automatic updates.
The threat model is simply not valid for the security model that users who use a package manager follow.
Don't get me wrong supply chain based threat models including the source and intermediates are a valid concern.
But you already accept those risk by using a package manager and a managed repo which contains the source code and or binaries for the applications you want.
Not providing automatic updates to protect me from Mozilla won't reduce the risk when the risk from the package manager and the managed repo is just as high if not higher it just increases the overall risk as now I need to ensure that I follow their release cycle closely to make sure that my browser is always up to date.
