Why is that relevant regarding the FOSS aspects of weights / binaries? If I run a binary within a VM and only consider its output and prevent any side-effect host, just like I could just consider the output of an LLM, my binary is still not any closer to being FOSS, is it?
Virtually all models are now distributed as Safetensors/gguf/etc. (which are just metadata + data), not pickled Python classes. Many libraries also don't even load pickled checkpoints anymore unless you add an argument explicitly stating that you want to load an unsafe checkpoint.