If the project has a malicious maintainer, it's easier to find out if it's in the open - and either forcing change or not using the project at all. It's impossible to do that when you have no access to that information in the first place.
It's not perfect but it's something vs nothing. I'll take something every time.
How do you track down a malicious maintainer, introducing a back door slowly during one year long, a little change at a time, given how long CVEs in OpenSSL have been unnoticed as example?
I guess you have never had commit rights to any Linux distribution or such?
You don't get commit rights as a random person, so yes, a commit can usually be traced back to a person. Sure, the committer could have received a patch from a unknown person, but then he's still responsible for the commit.
That's not what I tried to say. It's up to you as a user to make due diligence and make an informed decision if you want to use the software or not.
Any serious project would have some form of web of trust and know who has commit rights. It's up to you to decide if you trust their web of trust.
I guess from your comments that you are not actually interested in contributing to the discussion since you just sprout single line comments with no information at all.
In any case, "a random nickname on the Internet, using a computer somewhere in the globe" is a lot more information than none.
Finding out that that's the case for a given project is part of traceability.