https://nitter.net/npm_malware has twenty postings in the last 19 hours, quite far from "without".
Probably OP was thinking about the deb and rpm repositories of the main distributions but yes, NPM and the likes are other examples of large repositories.
I agree there are linux-only repos that are ~1% of that size and contain little or no malware or abuse. That's true whether you measure size in updates per day or total count of packages, so 1% seems reachable without considerable malware problems.
The distinguishing feature of Linux distributions is the existence of maintainers. Human beings who put in effort into maintaining the quality and integrity of the packages and keeping them up to date. We Linux users generally trust those people, and they stand between us and all the software developers out there. To get to us, you gotta go through them. And they generally aren't in the habit of allowing obvious malware into the software repositories. That's why we trust them in the first place.
Contrast that to repositories like npm, pypi, rubygems, cargo which are all designed so that any random person can make an account and push up any package they want. There's no checking. Accounts might be compromised by or outright bought by malicious actors. Just like popular browser extensions which get bought and converted into malware.
No, it's not even a Linux package repository. Think repositories for Debian, Fedora, Arch, etc.
I don't think either Debian, Fedora or Arch are anywhere close to a million packages or a thousand updates per day. Well below 10%. They're GNUish and 100% linux, but really bad on the size axis.
The app store has at least two classes of problems that those three don't have, and have to handle the problems at much higher scale. "Those guys manage to handle a simpler problem at much smaller scale, so it's possible for the app store too" is hardly an argument.
