Isn't this just checking packages against known cves, which wouldn't help for undiscovered or unannounced vulnerabilities. Let me know if I've misunderstood, I'm basing off the documentation site.

Also I find the irony goes hard in their recommendation of installing another attack surface (brew) on Linux and missing the point.

I think, they have an malware detection engine of their own, so not only they help protect from known vulnerabilityes / malwares but also have thier own database

their blog: https://safedep.io/dynamic-analysis-oss-package-at-scale/