why is open source different? you are either hosting your own service instance or you are running something you dont control with no hard guarantee that the code matches what is running. (not to mention compilation env differences and other intermediate possibilities)
Well, with private/company data, I for sure would skim the source and keep some network inspector open if I didn't have sufficient grounds to trust the app.
It's not black-and-white for me, more like an intuitive estimate of probability of mishandling data, colored by relevant policies. But some specific examples from work:
- I wouldn't use Trello or GSuite without clearing it with corporate; however, I would still trust the two much more than a random Tinder for Meetings app, because the two are well-known multinationals (read: stationary targets for lawsuits), while that Tinder for Meetings thing is a small thing, and could easily be a scam / data exfil attempt by someone who'll disappear the next day, never to be found;
- I use O365 tools, because corporate has signed appropriate deals with Microsoft and I can safely assume those tools are OK to use;
- I'm not worried about third-party packages from MELPA exfiltrating proprietary data via my Emacs, because of a combination of Free Software culture, Open Source culture, Emacs being niche, and this never happening before to my knowledge;
- I am worried about third-party extensions to VS Code, because it's more mainstream software culture, has mass appeal meaning it's a good target for scammers, and the entire ecosystem is thoroughly infused with analytics and surveillance bullshit;
- I use ChatGPT for various things (via API, through alternative frontend), but I do not use it for generic, non-company specific things, always triple-checking that I'm not accidentally revealing any IP; this is in line with recent company policies;
Accountants are hired under confidentiality agreements. Connecting random third parties to your systems that have "we are allowed to do anything we want at any time" agreements is kind of the exact opposite of that.
As others said, accountants are hired under confidentiality agreements. What that means is, should said accountant breach my trust, they're an easy target to hit with a lawsuit. The possibility discourages scammy behavior and establishes some baseline trust.
Big corporations are also good targets for lawsuits - they may not be easy, but they are stationary, and if you have a good case, chances are many other people have one too. This is, again, establishing some baseline of trust, even in absence of a proper business contact.
Random SaaS / fresh startups? They're a highly-mobile targets. There's a good chance they may close shop and disappear overnight. There is no baseline of trust there, and much more thorough due diligence is required.
Confidentiality agreements aside, the scale isn't the same.
Accountants have tens of clients, online apps have thousands or millions. For an app, the relative benefit from skimming a bit off every client is higher, the relative cost of losing one client who notices is lower.
There is a regulatory body for CPAs, which include things like ethics. There are "generally accepted accounting practices" (GAAP) which are adopted by regulatory bodies like the SEC and IRS. There are laws that are related to all of the above.
Point is, my dealings with my accountant(s) is highly regulated, and there is expectations of confidentiality, trust, and privacy -- with rules and laws to back that up.
Not the case with some random app handling your corporate data. Plus Outlook and other calendars integrate with many other systems, and there are a lot of nasty hacks if you can get someone's email. Lotta risk for negligible gain.