If crates.io security is a concern, then you're looking at a completely different problem than "just" cross compilation.
You will be kind of forced to go and use the git repo of each crate, getting it locally and somehow glue everything together to let cargo be able to build --offline or so. 
With a 100+ dependency for small-mid app sound like unmanageable...
How would using bazel or make would help solve this?

With all these package managers, dependency-confusion is going to be a problem.
.NET recognized it and solved it by letting you define where crates can get pulled down from (like, MyOrg.* Crates can only be downloaded from MyOrg.io).
Cargo would probably have to address it in a similar way.