I think their point is that the source being open keeps the developers more honest. Of course there have been supply chain attacks in open source, but that is more probable to be found out than closed source ones. In short, auditability improves security.

The thing is, there's always someone who does read it or inspect changes. It will surface soon enough if untoward things are happening.

And that is what is being trusted.

Not "the code is readable therefore trustable".

More "the code is readable, therefore I trust multiple someones, somewhere will read it or has read it and if they have a concern they will voice it".

Is it the greatest thing to trust? No, but like a lot of things in life, it's the best of the practical options.