So, I don't bother with vendoring my dependencies ( usually ), but you have it the wrong way round.
Vendoring would make it more likely you're gonna review the changes, be ause you can quickly eyeball whether or not changes look significant, which is something you often won't get out of a go.sum change.
That's not totally without cost though, as it can break workflows that cherry pick commits between branches. eg main/master branch vs stable release branches
I don't think anyone is saying it's without cost, just that there are certain circumstances where you might want to bare the cost.
There's a generic question of how you build confidence in your dependcies not being compromised, and there's steps you can take to mitigate that without reading code, but if everyone was adopting that stance then we'd likely have no mitigations
Vendoring would make it more likely you're gonna review the changes, be ause you can quickly eyeball whether or not changes look significant, which is something you often won't get out of a go.sum change.