It's basically a group of devs calling the shots. Like any open source project code audits could well be an afterthought with post-incident remediation. Also the average Bitcoin user isn't going to download the source code and inspect it. They just trust that these devs are and always will act in their best interests.
This reminds me of an incident at the beginning of the Ukraine situation when the owner of a heavily used library used in many prominent upstream projects decided one day that his ideological position was so strong that he would initiate a supply chain attack in his code targeting Russian users by IP or something. There was nothing to stop this. That's the nature of open source software.
You just need one honest pair of eyes watching the code to sound the alarm. Even if the Bitcoin core developers conspired to sneak in malware, it might affect a few users but would be quickly detected and wouldn't impact the Bitcoin network/protocol itself.
This reminds me of an incident at the beginning of the Ukraine situation when the owner of a heavily used library used in many prominent upstream projects decided one day that his ideological position was so strong that he would initiate a supply chain attack in his code targeting Russian users by IP or something. There was nothing to stop this. That's the nature of open source software.
It's neither trustless nor regulated.