Sure, FOSS is always better for security applications than proprietary garbage. Which is why Signal, Matrix, Nostr are superior to WhatsApp, Telegram, etc.

And yes, hardware can be compromised as well, keyloggers can be installed, for example, Tails OS is not a silver bullet either.

But according to my threat model, it's harder to do these things at a hardware level if you don't have a cooperating software. Say a malicious CPU has recorded your secret - how is it going to exfiltrate it out of the device? Without cooperation from the software (and an open source OS wouldn't cooperate), it would need a completely separate communication hardware+software stack built in just for that purpose.

I posit that it would be orders of magnitude harder for hardware manufacturers to hide the presence of such malicious circuitry than it is to sneak in a rootkit with the OS.