Just because it's open source doesn't make it trustworthy or bug free. Are you going to audit tends of thousands of lines of code to find an obscure vulnerability that a state actor has gotten added in a way that's not obvious?