I think you’re probably right but it would depend on languages - something statically typed and well defined like rust would be much easier to analyse than something like php which could construct and execute a backdoor dynamically in a very non obvious way. All this depends on code readability and simplicity, which in software which is a complete mess would probably need a sandbox to have at least some level of assurance (I’d prefer to see unreadable apps outright rejected from use, but that opinion won’t fly in the face of the business world).
So in summary, I concede you are right in most, but not all cases.
So in summary, I concede you are right in most, but not all cases.