It's not what is in the code, it's what is not.

Operating procedures, Open source is not magic.

Just because a company publishes it's code, does not mean what you are using compiles to what they are shipping, or their other design choices aren't part of a broader profiling risk.

They ask for an email, leaves a KYC trace. They don't support the most paranoid browser and operating system privacy conditions.

They are a risk just by being a registered company that can be subpoenaed for info.