Exactly. To keep being user-hostile and keep the user base, software needs to satisfy some requisites: being closed or depending on not reproducible proprietary services, or having no better competitors.
A user-hostile software that happens to be useful and is open would be forked and cleaned in no time, or users would flee to the competition if there is any.
The fact that the most user-hostile applications today live in closed proprietary PC or mobile operating systems, or proprietary services where there is no such thing as either openness or competition, gives an hint on where the problem is.
But even a significant portion of FLOSS can be legitimately called spyware. Firefox, Chromium, Docker (although Docker Desktop is no longer open source), Homebrew, Mattermost, Netdata, Bitwarden - all of these are common, popular FLOSS that embed spyware, oftentimes operating silently (other than a little notice at install time that the authors think constitutes informed consent).
The spyware epidemic is real, and FLOSS is not immune.
With FLOSS, the culture often looks down upon telemetry so there's an incentive not to include those because of user outcry (Audacity, ahem). Forking or patching out the offending pieces of code is also possible (see Audacity again).
Caddy v1 also came with telemetry, but it was trivial to rebuild it with the telemetry switched off. The best you can do with closed software like Windows is to apply a hack and hope it's not undone after an update.
That's true, but still, the trend of embedding spyware in FLOSS is becoming normalized. On top of that, FLOSS spyware vs. proprietary spyware is a distinction that is useful only for software developers - a subset of "tech-savvy people". Until recently, tech-savvy people could just assume that FLOSS software is free from bullshit, and both use it and recommend it to non-tech-savvy people without checking.
FLOSS or not, most software is still products, with a name and an owner. The openness could, in principle, enable a "network of slightly different forks" model of software evolution, but it didn't. There's universally a single canonical repo, with the "real" owners, and occasionally some niche forks. A fork takes over only when it can win the marketing game against the repo it forked from. So, each time an owner of the canonical repo decides to include telemetry in their project, their users who aren't software developers are screwed.
> By default, Mozilla collects limited data from Firefox to help us understand how people are using the browser, such as information about the number of open tabs and windows or number of webpages visited. This does not include data that can reveal sensitive information about users’ activity online, such as search queries or the websites users visit.
I think you are defining the term spyware too broadly.
Most FLOSS has not fallen in this category.