> how do you prove the firmware in the flash chip matches source?

Trusted, qualified independent experts: Ala Underwriters Laboratories.

A trusted website that compiles it from source and a way for you to go to a webpage and flash from there automatically. The FPV community does that all the time with a set of websites for their ESC, flight controllers, radio, all open source. You can add signatures etc but just a trusted website goes a long way vs a random blob preinstalled

not to mention even on the bananapi you gotta trust mediatek.

There's no solution to that other than having knowledge and researching the code/device yourself. You can pick apart modern Linux/busybox based IoTs fairly quickly, so effort needed is not really a huge issue.

Maybe trusted community of people could do it for everyone, but there's currently all kinds of potential legal trouble brewing in that approach. Complete and public reverse engineering of every aspect of any device would have to be made completely legal, so that people could freely publish all artifacts extracted from a device and produced during reverse engineering and collaborate on them without any fear of repercussions. Also HW manufacturers would have to be prohibited from NDAing documentation for SoCs, etc.

Side benefit would be that this would also serve as a documentation for freeing the device and developing alternative firmwares with modernized sw/reduced attack surface.