This is not responsive to the core of my argument that nobody who actually audits and analyzes this stuff will tell you that source availability is necessary or even useful for figuring out if a particular application does what it says it does, unless you’re building the entire thing yourself off a trusted buildchain.
Even if you have repeatable builds you still audit what the thing actually does.
Even with repeatable builds there are some ways to exploit the system, for example sending a targetted binary to audience that does not check the binaries, or sending a malicious update that exports all your history when you won't notice it (at night?) and then sending a good update to cover up.
Mozilla has done some research to close these issues [0] but until this is enforced on a system level reproducible builds won't solve the underlying problem.
Even if you have repeatable builds you still audit what the thing actually does.