This topic has become a mix of the abstract (policy and practice) and the concrete (cryptonite).
In the case of the latter package, on Hackage, it is clearly marked as deprecated in favour of crypton.
For its part, the change log of crypton on Hackage clearly states that crypton-0.31 was forked from cryptonite with the original author’s permission.
The change in the status of cryptonite was also discussed on this site in September 2023.
The maintainer of crypton, Kazu Yamamoto, has a public profile, both within and outside of the Haskell community. (By which I mean, the question “Who is the maintainer of this package, and what do I know about them?” does not hit the wall of anonymity.)
On Hackage, both cryptonite and crypton warn in their opening sentences:
Evaluate the security related to your requirements before using.
and people, including @hasufell (who has had a consistent public message on this topic for as long as I can remember), have warned that when it comes to Haskell’s ‘cryptographic’ packages, users do need to take great care when using them for certain purposes.