>>a few lines of own (LLM generated) code.

... and now you've switched the attack vector to a hostile LLM.

Sure but that's a one time vector. If the attacker didn't infiltrate the LLM before it generated the code, then the code is not going to suddenly go hostile like an npm package can.

Though you will see the code at least, when you are copy pasting it and if it is really only a few lines, you may be able to review it. Should review it of course.

If it's that little review the dependency.

The difference is, the dependency can change and is usually way harder to audit. Subfolders in subfolder, 2 lines here in a file, 3 line there vs locking at some files and check what they do.

I did not say to do blind copy paste.

A few lines of code can be audited.