As for updates - my OS has a built-in package management system, which is responsible for installing and updating packages. Why should notepad++ bypass that and do its own independent update process?
Because other OSs do not and the notepad++ team wants all users to have a similar experience.
If you don’t need auto updates, just disable them.
More importantly, notepad++ being able to update itself is not the exploit here. Your OS’ package manager would download the same compromised binary as notepad++’s built in updater.
What OS doesn't have a package manager now? Windows, Linux, and MacOS all have their own systems.
On windows, the package manager downloads the release of notepad++ directly from github, so it would not have been compromised. The hijack was done on the notepad++ website at the webhost level as I understand it, and the built in updater pulled from there.
