That's true, and in that sense it doesn't really matter if they publish the server source or not (although they really should continue to do so). What does matter is that the client was designed with a possible malicious server in mind so you don't have to trust the code the server is running.