pull down to refresh

It's not what is in the code, it's what is not.
Operating procedures, Open source is not magic.
Just because a company publishes it's code, does not mean what you are using compiles to what they are shipping, or their other design choices aren't part of a broader profiling risk.
They ask for an email, leaves a KYC trace. They don't support the most paranoid browser and operating system privacy conditions.
They are a risk just by being a registered company that can be subpoenaed for info.