I think the premise is we would know if it already did that, and incremental code changes can be inspected to see it isn't added. So yeah, it's pretty safe to say open source makes it trustable.
That's pretty reasonable, but if I were a malicious actor looking to do something like this, I'd try to introduce different bugs at different times that combine to leak passwords. That would give plausible deniability, too. Not saying it's an easy scheme to engineer.
People inspect chrome diffs for weird changes too. Closed source software does not prevent people from noticing malware, especially in some of the most heavily scrutinized software in the world.