Doesn’t help if the exfiltration only occurs monthly and you only monitored for a week, or if there’s something locally malicious, or if side channels are involved, or if it’s manipulating data sent to legitimate sites (e.g. instructions to your bank, while logged in as you).
Quite right that these concerns apply to any software, but they are significantly mitigated by sourcing software from organizations you trust.
There’s no way I would be able to spot the operation of malware-masquerading-as-browser without committing totally to a forensic examination of every system call it makes. Imagine how much attention you’d have to pay to stop it capturing your bank credentials and then making transactions in an invisible tab (the browser doesn’t have to render a site in order to interact with it).