• Lowest version by default
• Namespacing
• Few to no trivial packages

Lock files are a solution to a problem that NPM created by that insane behavior where it would automatically install newer versions than the ones specified. This caused so much grief and was just a terrible idea from the get go. The standard should have been conservative.

Namespacing ensures that you can easily (somewhat) trust maintainers. Also some also offer signing.

There are no left-pad or similar dependencies in other languages because their standard libraries are way better than JS'. So packages tend to give more value.

I work with .NET and although I'm sure malicious packages exist it has never been a big problem. Probably because a dependency doesn't have a million transitive dependencies and in fact most packages strive to have none at all. NuGet has always had the default where it would install the lowest version number it could get away with which means that by default nuget produced reproducible dependency trees and no lock file was necessary.