The playbook for what will happen is in the code. You custody the keys and you have the ability to audit (or delegate the audit) of the code. But you are correct, without performing that audit, you are putting a certain of level of trust in the developer.