Again: you're saying "possible threat". I agree it's possible. What you have not demonstrated is that it's likely or reasonable enough to serve as a basis for changing my own actions.
It's possible that a password manager could be completely open source, distributed with checksums and public key signatures, that my C compiler could be completely open source and distributed with checksums and public key signatures, and I could still end up with a backdoor in the final compiled result, detectable only by deciding to carefully examine the binary I just built.
This is a "possible threat". Should I use that possibility as a justification for never using a password manager? Or for never using a C compiler?
Simply put, you need to have some assurance that the binary that you're downloading is the one that the developers compiled, and the easiest way to do that is to have crypto checksums. If you don't, all bets are off.
And it's not just a "possible threat" but a likely one, and it's happened multiple times in the past. Sites get hacked all the time, and trojans are standard practice these days (unlike compromised-binary-generating C compilers):
It's possible that a password manager could be completely open source, distributed with checksums and public key signatures, that my C compiler could be completely open source and distributed with checksums and public key signatures, and I could still end up with a backdoor in the final compiled result, detectable only by deciding to carefully examine the binary I just built.
This is a "possible threat". Should I use that possibility as a justification for never using a password manager? Or for never using a C compiler?