Even the most hardcore GNU supporters don't think Microsoft would add a supply chain attack to such initiative, or that their software security is worse than the average NPM (popular) package maintainer.

Just the lock in and telemetry are dangerous :)

And they're company policy as opposed to honest mistakes like security vulns.