With the second party (Gitlab in this case) I have a contact, give them money regularly, and have other such leverage in case they screw up. Third parties generally could not case less what damage they may cause.
But what's the difference? You PAY gitlab in both instances and your leverage is the same. Do you want to be involved in reviewing their motherboards for spyware chips as well?
