Open sourcing would just be a PR tactic IMO. Since it's all local storage anyway, there shouldn't be many security maintenance issues. I just think it gives a nice story angle for bloggers and tech press. But agreed, trying to build an active open source project with a community around it is a whole other ballgame and likely not worth the trouble.
It's not just a PR tactic. If the app is closed source, how do you know it's all local storage? Because someone on the internet said so? These days you can't really MitM and investigate the network connections.
Agree with you if privacy first is the goal then open sourcing it is absolutely the right move. However, it IS still possible to MITM these days - although more difficult.
frida.re has a ton of useful features and community tooling built around it including scripts that will let you "un-pin" certificates by hooking and rewriting the functions that verify whether cert pinning worked or not.
