Not discrediting Open Source Software, but nothing is 100% safe.
Luckily there are people who do know, and we verify things for our own security and for the community as part of keeping Open Source projects healthy.
Open source software is safe because somebody knows how to audit it.
And to a large extent, there is automatic software that can audit things like dependencies. This software is also largely open source because hey, nobody’s perfect. But this only works when your source is available.
The point is not that you can audit it yourself, it’s that SOMEBODY can audit it and then tell everybody about it. Only a single person needs to find an exploit and tell the community about it for that exploit to get closed.
You can get a good look at a T-bone by sticking your head up a cow’s ass but I’d rather take the butcher’s word for it.
There are people that do audit open source shit quite often. That is openly documented. I’ll take their fully documented word for it. Proprietary shit does not have that benefit.