Sure it’s a risk. And I’m not a dev. But I rely on a network of devs here to review the open-sourced code on the clients I use to make sure nothing malicious is going on.