Except that if everyone assume that someone would have done the audit, it would also simply mean that no one have done it.
Just do a research on reddit or quora (or google ofc): there’s always the same kind of formatted response.
This is a foolish - if not dangerous - way of thinking.
even if no one’s done a proper audit, if there are enough contributors someone will definitely notice that something is up, and an audit can be done once concerns have been raised. the reliability of open source comes not just from anyone being able to see the source, but also that lots of people have to see the source for the project to stay alive.
and there’s a transparent log of commits