I’m talking not only about trusting the distribution chain but about the situation where some services dont rebuild their images using updated bases if they dont have a new release.
So per example if the particular service latest tag was a year ago they keep distributing it with a year old alpine base…
Rebuilding containers is trivial if they supply the dockerfile. Then the base image is up to date, and you can add any updates/patches for things like the recent react vuln.