while true, you can say this about anything which doesn't have any permissions system too. why worry about end-user security, they can just fork and modify.

which means, effectively, that it becomes a 0.001% or worse event. arguably the whole point of privacy-focused (or even -aware) software is to increase that beyond "fork and modify"'s ratio, as far as possible, because it doesn't work in practice for the vast majority of the globe.