Nostrgram uses nip07, so key exfiltration wasn't the concern. The assumption that open source projects magically get "programmers all around the world watching" isn't right neither. Sadly most open source projects have only their core team watching. Watching a quickly evolving software project is a full time job that people don't do lightly. Only projects that are used by many teams get good scrutiny.