Distribution repositories. They are signed by PGP but the users don't need to touch it or even know about it. Just in case of external ones they need to install the key. And even without WoT, TOFU is still more secure than no verification at all.