Are all packages necessarily reproducible on GUIX?

By default, what will happen if I try to install a package with GUIX and it's not bit-for-bit reproducible? I'm very concerned about the state of package managers in 2024 (and the risks of supply chain attacks). While traditional package managers like [apt](https://security.stackexchange.com/questions/246425/does-apt-get-enforce-cryptographic-authentication-and-integrity-validation-by-de?rq=1) and [yum](https://security.stackexchange.com/questions/257577/does-yum-enforce-cryptographic-authentication-and-integrity-validation-by-defaul?rq=1) are maintained by a dedicated team of package managers who verify, test, and cryptographially sign all their releases, new package managers like [flatpak](https://security.stackexchange.com/questions/259088/does-flatpak-enforce-cryptographic-authentication-and-integrity-validation-by-de?rq=1) , [snap](https://security.stackexchange.com/questions/246478/does-snapd-enforce-cryptographic-authentication-and-integrity-validation-by-defa) , and docker allow random users to submit packages, and will [happily download](https://security.stackexchange.com/questions/238916/how-to-pin-public-root-key-when-downloading-an-image-with-docker-pull-docker-co) and run maliciously-modified software. Today I learned about GUIX, which emphasizes reproducible builds. But after spending an hour reading their docs, I could not determine how reproducible builds in GUIX works -- nor if it's **enforced** for all packages. Does a default install of GUIX require builds to be reproducible? How does it ensure authenticity of the software and resulting binary? What are the possible vulnerabilities to this system?