If you take that line of argument, you must also accept that you have no reason not to assume that binary distributions of Android and Windows haven't been doing similar things for the past decade.
I agree with you in that I don't think the problem is the closed-source aspect. Closed source software can still be audited (with difficulty). The problem is that the source material for the hashes can't be audited, even when we know exactly how the system works.