Open source is not a silver bullet for the security of a system, nor is closed source automatically insecure or inauditable. They both require skilled auditors to check the integrity of any code base whether it’s in source viewable form or as a binary (absence of reproduceable builds, you have no assurance the resulting binary came from a particular code base - which is another point to the XZ problem).

There are numerous tools and utilities to do so even without source code. If it works as advertised with no adverse side effects, use it as intended. But that takes effort and using one’s brain to solve problems rather than carping tired absolutist political stances… oh wait… so do source code audits! Granted it might be easier with source code, but see above. There’s numerous ways to compromise an end product through the build process or runtime environment without ever touching the source code. In fact, normal Linux distros make it trivially easy to do so - read up on LD_LIBRARY_PATH. That doesn’t even contemplate the nightmare scenario of compromised compiler suites.

Given the alternatives, I might prefer FOSS myself, but I don’t delude myself into believing FOSS is automatically more secure because “FOSS”. It’s more secure only if the environment it is developed and built in is provably secure. It’s more private only because the environment that it’s produced in generally values its privacy. If Jian Tan has proven anything, it’s that those assumptions aren’t always valid and should NEVER be taken for granted. The practical reality is that FOSS isn’t magically secure because the source code is viewable. It’s just possible for random people to view it, but there’s no guarantee skilled auditors will do so. Linux servers are compromised hourly just as quickly and easily by both the skilled and unskilled as quickly as Windows systems are.