Maybe I'm a bit paranoid, but I find it harder to trust the binaries generated by such a project than the ones provided by the Big Techs (even though they are the biggest stalkers).

I'm afraid that such projects, with much less man power and skin in the game, are more vulnerable to supply chain attacks or a hostile takeover if a dev sells the project.

I'm not very knowledgeable in this area. Would someone contribute here some resources on how this is avoided in such projects? Or maybe my concerns are valid :)

I just installed vscodium on my manjaro machine. It built from the AUR source.

I’m sure you could diff the source code the package used, and the upstream Microsoft git SHA it is claims to be derived from:

https://aur.archlinux.org/packages/vscodium

Incidentally, there is now an open source remote mode extension, so I have no reason to use the proprietary version. No more telemetry from me!

URL please? Open VSX lists several but it's hard to evaluate if they're complete & stable from just the READMEs. For example, https://github.com/xaberus/vscode-remote-oss has existed for a long time, but one would need to spend a few hours to know if it works well enough.