Docker Security - How much should I question the software I get from places like LinuxserverIO?

I'm not yet past hosting a few things like Pi hole, Plex, and some other basic services. So many guides just give you a docker compose file to customize for your own environment and instruct to you pull the latest image from wherever. But how do I trust that the software I'm running is not malicious or won't turn malicious? Obviously big name stuff like Pihole, Plex, Nginx etc are pretty easy to trust. But for less popular software, how do I trust that someone isn't going to send a malicious update? How careful do I need to be? There are so many sources and forks of things and sometimes it's hard to know whether the source you are using is official or a fork. It's easy to spend lots of time trouble shooting port issues and forget to look at the image source and vet it. It's also easy to imaging someone justifing using a fork of something that is tweaked for fit their needs instead of tinkering with the source that they cant get to work for whatever reason.

Like I think I'm comfortable enough creating a unique user with limited access and using that UID and GID to limit permissions. Careful about only mounting necessary volumes etc. But even those volumes might have lots of data I care about in some way shape or form. I'm just not an expert here, and like many newbies, run software on my NAS which would be pretty difficult to lose. Yes yes backups blah blah. Maybe beyond say a encryption attack someone is worried about their private data being harvested quietly? No shortage of bad things that can happen ...

In theory a rouge image shouldn't have access to much if I'm careful, but I'm curious if there's anything I should watch for? Most of the guides barely gloss over security. Both docker and Linux are known for contributing to a secure ecosystem. I just worry that it's for people who know what they are doing and not your average schmo editing a copy paste compose script.