> If MS's distrusts its own ability to vet other people's code, why trust their ability to vet their own code?

If you want to do the legwork yourself, feel free to roll your own PKI and sign things you trust yourself.

This fails to answer the question.

It was a leading question, answer to which only you can know based on your threat model. I did however say what you can do if you don't trust Microsoft, which also makes the question quite irrelevant.