OpenZeppelin team members are instructed to use strong unique passwords and two-factor auth for both GitHub and npm, which we monitor or enforce when the platform permits. (GitHub can enforce it, npm can’t.)
With vendoring the contracts I’m concerned about the difficulty of verifying that those contracts are not custom-modified. However, installing from npm is also not such a strong guarantee once the contract is verified on Etherscan, because the source code will be inlined there.
Auditors can and should verify that vendored contracts were not modified, but it’s harder for the general public who may also be interested in knowing.
There is also the issue that, as far as I know, audits are performed on the code as found in the repository and not as published, although this is a neutral argument because it affects all approaches the same. I guess what this means is that Etherscan would benefit from a feature that verifies the integrity of contracts from OpenZeppelin Contracts, or even the correspondence with a repository.