1. Subtle bugs that look OK during code review but actually introduce security problems (like == vs = but with a multi-billion-dollar spy agency behind it).
2. Binaries that don't match the source code (compile with the backdoor present, release code with it removed).
2b. An auto-update mechanism that lets the vendor deploy an update only you receive, which compromises your keys, then releasing another update minutes later which removes the compromise and covers their tracks.
3. The device shipping with an update mechanism that adds a backdoor during update installation, so there's no backdoor when you inspect the update on your computer but there is when running on the device.
Only the software is open source, the hardware could still be backdoored. Not to mention unless you plan on compiling the software yourself and installing it on the box, there is no way to be sure that is what you're really getting. I am not too paranoid about that kind of thing being true but I'm also not that excited about this device.
