Did you inspect the build code of all the nixpkgs you imported? Did you inspect the code of the tarballs they depend on? Sure, the SHA256 is right there...did you look at it?
People copy and paste nix code all the damn time because it's downright unparseable and inscrutable to the majority of users. Just import <module>, set some attrs and hit build. #yolo
Nix code is composable and statically checked for consistency. Docker containers is just a random sequence of shell scripts that sometimes happens to not error out because people mostly only use the same five Ubuntu or Alpine base images and don't layer more than two things at once.
Containers is "run these random shell commands I copy pasted from the internet on top of this random OS image I pulled from the internet, #yolo".