I think that there is a real point in talking about the security risk from having it too easy to fetch tons of dependencies. That's literally code that gets downloaded and run on the user's machine, I would always feel safer if the dev had at least an idea about the dependencies they pull.
You can also have a mixed approach, where you depend on the system libraries for those that are maintained by the distro, and build/handle the remaining dependencies manually. That is an incentive to actually use the libraries that are maintained by the distro, which is a good thing IMO: not every library gets to be distributed by Debian, there is some level of quality control there.
You can also have a mixed approach, where you depend on the system libraries for those that are maintained by the distro, and build/handle the remaining dependencies manually. That is an incentive to actually use the libraries that are maintained by the distro, which is a good thing IMO: not every library gets to be distributed by Debian, there is some level of quality control there.