It's not just a PR tactic. If the app is closed source, how do you know it's all local storage? Because someone on the internet said so? These days you can't really MitM and investigate the network connections.
Agree with you if privacy first is the goal then open sourcing it is absolutely the right move. However, it IS still possible to MITM these days - although more difficult.
frida.re has a ton of useful features and community tooling built around it including scripts that will let you "un-pin" certificates by hooking and rewriting the functions that verify whether cert pinning worked or not.
frida.re has a ton of useful features and community tooling built around it including scripts that will let you "un-pin" certificates by hooking and rewriting the functions that verify whether cert pinning worked or not.
https://frida.re/
https://codeshare.frida.re/@masbog/frida-android-unpinning-s...