How is ZBD different from any other client where you input your private key instead of on-demand air-gapped signing from offline device?

For example, how can you be sure that Damus does not send your private keys directly to its own servers? Yes, you see source code on github (which you won’t audit ever) but you have no way to check that app on your iphone was buily using this source