You talk as though closed-source developers reviewed all the upstream code. The exact same problem exists with closed-source, except there isn’t even the possibility of reviewing all the code if you want to. At worst, the lack of review in FOSS projects is on par with closed-source projects. At best, it’s a much smaller problem .

Unsourced claims like this do absolutely no good to anyone, ever. Which means that either right before typing this comment, you though to yourself “time to be a bad person for no good reason” or you’re a shill for some surveillance agency with an interest in scaring people away from privacy enhancing solutions.