That's only the case if I am unable to review the code myself, before any update, I fully understand the code, and I am smart enough that the contributors are unable to pull a fast one on me.
Given that I'm not a cryptography expert, I have a limited number of hours in the day, and open-source supply chain attacks are typically obfuscated, I don't consider that to be a trivial statement.
In theory, that's only the case if you are unable to review the code yourself.
In practice, it's like saying that TLS encryption is pointless, because one needs to trust every single person who implements it.