Unless you’re reading the source of every dependency and you build all of your software from source, you’re always trusting someone, even in open source.
Many times the software you install on your computer was built by someone else, which has the chance to inject malware, separate from the code you read from their repo.
I'm not able to read the source. I use Homebrew on MacOS and Flathub on Linux. I think Homebrew has a larger install base. Is it crazy for me to trust my use of MacOS more? I also monitor outgoing traffic with Little Snitch and use hardening guides to reduce telemetry.