This is exactly why HIPS is needed, never blindly trust apps! A few years ago they did the same with GOM Player for Windows.
Not really. The solution is using trustworthy hosting sites, not random mirrors. Handbrake is FOSS and the repository is on GitHub. They could just as easily do their releases on GitHub or use a specialized service like FossHub.com
Yes, but the point is that all hosting sites can get hacked. So that's why I always monitor app installation, no matter if I trust the app or not. The only one that I know of is F-Secure XFENCE: https://campaigns.f-secure.com/xfence/