Unless you’re reading the source of every dependency and you build all of your software from source, you’re always trusting someone, even in open source.

Many times the software you install on your computer was built by someone else, which has the chance to inject malware, separate from the code you read from their repo.