Pretty sure Microsoft is exponentially bigger than 99% of the library authors out there, and add to that the giant communication channel that GitHub gives it over developers, so the analogy breaks pretty fast.

Or it's worse, because there's a good bunch of devs that don't trust MS by default?

Even the most hardcore GNU supporters don't think Microsoft would add a supply chain attack to such initiative, or that their software security is worse than the average NPM (popular) package maintainer.

Just the lock in and telemetry are dangerous :)

And they're company policy as opposed to honest mistakes like security vulns.