A big thing is that Go does not install the latest version of transitive dependencies. Instead it uses Minimal version selection (MVS), see https://go.dev/ref/mod#minimal-version-selection. I highly recommend reading the article by Russ Cox mentioned in the ref. This greatly decreases your chances of being hit by malware released after a package is taken over.
In Go, access to the os and exec require certain imports, imports that must occur at the beginning of the file, this helps when scanning for malicious code. Compare this JavaScript where one could require("child_process") or import() at any time.
Personally, I started to vendor my dependencies using go mod vendor and diff after dependency updates. In the end, you are responsible for the effect of your dependencies.
Because browsers can require certificates to be in the certificate transparency logs to be valid. Chrome already does this. If a government convinces a CA to create a malicious certificate and publishes this cert to the CT logs to perform MITM, it will get found out and that CA can close its doors.
Also, if someones DOES have this ability and gets found out, e.g. someone finds the certificate, it makes it clear someone had that ability. You'll know that root CA is compromised one way or another and it potentially gets burnt.
Thus, they'll only use it under the strictest smallest of circumstances where the reward outweighs the risk, in a high profile scenario, rather than rolling it out willy nilly.
Similar to when threat actors use a 0day.. if they use it all the time it eventually gets discovered and fixed. If they save it for a special case they may manage to use it a couple of times before it gets patched.
Browsers enforce that certificates are signed by two independent CT logs. The public keys of which is shipped by the browser. So a MITM would need to compromise a trusted CA and two CT logs to be able to pull off an attack undetected. Maybe not impossible but much more difficult than just a single CA compromise.
In Go, access to the os and exec require certain imports, imports that must occur at the beginning of the file, this helps when scanning for malicious code. Compare this JavaScript where one could require("child_process") or import() at any time.
Personally, I started to vendor my dependencies using go mod vendor and diff after dependency updates. In the end, you are responsible for the effect of your dependencies.