[KingMachiavelli]

True, but it's only safe if you do that. You have to either inspect the code every time you use the site or run it locally. Until subresource integrity [1] becomes widely used & the capability to 'pin' a given script to a specific version, web applications can not be used without at least trusting the owner of the domain.

A better example is Protonmail, a secure email service. It has a nice web client and there is an 3rd party desktop/electron version of the same size called Electronmail. While both essentially run identical code, the electron version is more secure because even Protonmail insert a backdoor for a single or # of users. They would have to at least publish the backdoor in the vanilla code at which point, the maintainers of Electronmail will probably raise the alarm.

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

[t-writescode]

Or, you could download the repository, validate it once for yourself and then use it repeatedly. It is open source, after all.

[rkagerer]

Write a little piece of open-source client software to take a hash of the source code. Check the hash every time you use it. Spread the tool around to a community of people who review every time the hash changes and publish (separately) a history of attested hashes.