It's worse to use an encrypted but potentially compromised channel than a plain text one only when you assume the encryption is not in fact compromised, which you shouldn't do.
So I fail to see the problem. It still likely protects you from nosy neighbors or nasty non tech savvy competitors, even if it doesn't protect you from state level actors or from Facebook itself.
The above, in addition to the fact that open source is neither required for auditing, nor guarantees proper auditing occurring (see OpenSSL having vulnerabilities for years before anybody released them to the public)