I mean, the code for everything is open source. It's credible because they're doing it. If they started changing to not do it, people would notice, very quickly.
That makes sense. So first they have to go closed-source before that attack vector is even feasible, and doing so would be sufficient on its own to raise alarms.