> Grandma and grandpa aren't reading the source code and certainly not up at a professional level.

This is one of the core misconceptions of the anti "free/libre" formulation of OSS. Most users don't need to read the entire Debian source to know that it is safe to use. You are free to look up who maintains any part of the project and look at the history of changes that have been made. A lot of projects have nice, easy to read notes along with the actual code.

If you are so paranoid that you can't even trust open release notes then why would you trust a closed project at all?

I’m not suggesting grandpa reads code, contributors do. We all know that most commercial code is much shittier than open source. Sure, commercial code usually covers more edge cases and has better UX, but is cobbled together from legacy and random product asks.