Re: "basically operated by one volunteer in charge of a small team of volunteers"
"In the end, unless you speak fluent C++ (with a security specialisation to boot), you're still trusting "someone else" to deliver secure and reliable code. Or you're still trusting "someone else" to review the code for you in a timely manner."
Even if that is the case, you still have to trust the compiler (and the compiler's compiler).