[schoen]

I read the claims on their home page as referring to the use case where someone starts using it immediately. (The benefit that they mention on the home page from open source is third-party auditability; the home page doesn't even mention the ability to create your own instance!)

The developers might well be thinking along the lines that you describe, but I don't think that a visitor to the site is likely to understand the threats that way.

Edit: Looking at https://subrosa.io/security I think it's even more clear that they're making these claims for their own hosted instance of their software -- and that's what people here are most skeptical of.