Closed source also keeps missing CVEs, only most of them you never know because they aren't even making it to an officially released CVE. You usually don't even know what libs it uses and at what versions, never mind the proprietary code.

And then there's the closed source's Cloud part and its holes as well, which is a whole other can of worms.

I haven't said otherwise, other than the fallacy that being open by itself fixes those issues.

for me it's about running it locally/inside a wireguard network, and not having the rug pulled. not everything needs to be exposed to the internet.