This trust dynamic, where devs mistrust built-in browser features (which are by definition more secure) but trust random code from npm, has perplexed me as well.
@baldur I think part of this is a legacy of competing/incompatible browsers. Devs learned to import jQuery to smooth out the differences. Now, browsers are much more compatible but the habit stuck.
Some of it too is the ecosystem, where for whatever reason library devs are encouraged to pull in many dependencies. That is partially the fault of the JS standard library sucking, but a lot of it is cultural imo.