It's entirely possible to ship malware in source form... Just look at the numerous supply chain attacks. Nix is a cute project but entirely irrelevant here.

It is possible but visible, and it means burning an identity, so it's not irrelevant

Burning an identity? Instead of hacking the server that serves the binary, you have to hack the developer's machine and commit a malicious source change.

I wouldn't consider either of them to burn an identity.

What systems have pure reproducible builds? Does Nix? Any others? From what I understand, it is a very difficult problem.

https://stal-ix.github.io/ and Guix, but the definitions of purity are different for them.

Yes, a very difficult problem, compilers must be pure functions with thin effectful wrappers.