Yes, but they can actually know it fulfils some security criteria of theirs. Doesn't have fundamentally broken cryptography hidden somewhere, doesn't leak its keys, all that bare minimum is really difficult to guarantee with external unknown implementations.