How does apt repository key pinning improve security?

Keys for apt repositories should nowadays be pinned to specific repositories by using signed-by (ideally in deb822 format) under the guise of improved security. And apt-key has been removed because it does not support managing keys in individual files. I wonder how big the effect of this improvement ultimately is - given the following scenario: 1. An attacker gains control of one of the configured repositories 2. He adds a malicious version of eg. base-files or another essential package with a backdoor and a higher version than in the installed base OS version. 3. On all machines that have this repository configured, the next apt update; apt upgrade will happily install this package over the official system packages without hesitation or warning. So key pinning does not achieve much here – aside from providing some means for better hygiene in apt key management. On the other hand it looks very legit and feels rather secure (which is bad if it actually isn't). Is this observation correct? Or am I fundamentally missing the point of apt key pinning?