Well, with private/company data, I for sure would skim the source and keep some network inspector open if I didn't have sufficient grounds to trust the app.
It's not black-and-white for me, more like an intuitive estimate of probability of mishandling data, colored by relevant policies. But some specific examples from work:
- I wouldn't use Trello or GSuite without clearing it with corporate; however, I would still trust the two much more than a random Tinder for Meetings app, because the two are well-known multinationals (read: stationary targets for lawsuits), while that Tinder for Meetings thing is a small thing, and could easily be a scam / data exfil attempt by someone who'll disappear the next day, never to be found;
- I use O365 tools, because corporate has signed appropriate deals with Microsoft and I can safely assume those tools are OK to use;
- I'm not worried about third-party packages from MELPA exfiltrating proprietary data via my Emacs, because of a combination of Free Software culture, Open Source culture, Emacs being niche, and this never happening before to my knowledge;
- I am worried about third-party extensions to VS Code, because it's more mainstream software culture, has mass appeal meaning it's a good target for scammers, and the entire ecosystem is thoroughly infused with analytics and surveillance bullshit;
- I use ChatGPT for various things (via API, through alternative frontend), but I do not use it for generic, non-company specific things, always triple-checking that I'm not accidentally revealing any IP; this is in line with recent company policies;
It's not black-and-white for me, more like an intuitive estimate of probability of mishandling data, colored by relevant policies. But some specific examples from work:
- I wouldn't use Trello or GSuite without clearing it with corporate; however, I would still trust the two much more than a random Tinder for Meetings app, because the two are well-known multinationals (read: stationary targets for lawsuits), while that Tinder for Meetings thing is a small thing, and could easily be a scam / data exfil attempt by someone who'll disappear the next day, never to be found;
- I use O365 tools, because corporate has signed appropriate deals with Microsoft and I can safely assume those tools are OK to use;
- I'm not worried about third-party packages from MELPA exfiltrating proprietary data via my Emacs, because of a combination of Free Software culture, Open Source culture, Emacs being niche, and this never happening before to my knowledge;
- I am worried about third-party extensions to VS Code, because it's more mainstream software culture, has mass appeal meaning it's a good target for scammers, and the entire ecosystem is thoroughly infused with analytics and surveillance bullshit;
- I use ChatGPT for various things (via API, through alternative frontend), but I do not use it for generic, non-company specific things, always triple-checking that I'm not accidentally revealing any IP; this is in line with recent company policies;
Etc.