So the whole thing about FOSS is that at its core, someone could add malicious features or whatever to a codebase, but it can be discovered if people notice adverse effects and dig into it.

Like that one supply chain attack by “Jia Tan” on xz tools, that was quite nefarious, well planned and executed, yet some nerd noticed a slightly longer than normal response time and looked into it (a gross simplification, some luck might have been involved but you get the point). If it were a closed-source proprietary tool, the owners would shrug their shoulders and gaslight people into believing it’s nothing.

That’s why people make a fuss about binary blobs in FOSS code, if anything unwanted was happening, it could always be from there.

My personal level of checking is ensuring that I have gone to the correct official source, but I will generally have to trust the builder that was linked from that source did not modify or inject anything.