About a year ago I have read a post about reproducibility of the rustc releases (there is also an issue for this). I think the same approach applied to the crates.io libraries can make them more secure. At least anyone would be able to reproduce a build and compare it with one from the crates.io (or it can be done automatically).
I know we depend on LLVM but as it was discussed in the post I mentioned above everything can be solved.