When it comes to software/apps, remember:
- If you didn’t code it yourself, you don’t know what it really does.
- If you read the source but then install the binary, you wasted your time reading the source — compile it yourself.
- If you use someone else’s compiler to create your own binaries, you don’t really know what will come out of the other end .
The chain of trust hinges on the compiler — everything after that depends upon it. You aren’t going to write your own compiler (and really shouldn’t even try unless that’s what you do for a living, so to speak) but remember the above points before you decide to install/use something — it’s all a matter of trust, so be careful whom you trust.
you simply never ever know, unless they all become Open Source.
… which doesn’t resolve points 2 or 3 above.
Closed is closed: if you aren’t hosting the VPN yourself, you can read as much of the source as you want … all of it … but you still have no idea what’s really going on behind the scenes — no more than you know who is running the proxy or who is hosting the TOR nodes you hop through.
At the end of the day, you are still blindly trusting an unknown second party.