If the project has a malicious maintainer, it's easier to find out if it's in the open - and either forcing change or not using the project at all. It's impossible to do that when you have no access to that information in the first place.
It's not perfect but it's something vs nothing. I'll take something every time.
How do you track down a malicious maintainer, introducing a back door slowly during one year long, a little change at a time, given how long CVEs in OpenSSL have been unnoticed as example?
It's not perfect but it's something vs nothing. I'll take something every time.