I definitely agree on that open source backend is great, but you still cannot verify that that’s the code running on their servers.
Open source frontend is much more important IMO.
you still cannot verify that that’s the code running on their servers
This is why end-to-end encryption is paramount. You could be using Gmail as your provider for all I care as long as your messages are GPG-encrypted. Even if you trust the server-side completely (e.g. self-hosted), it’s still better to encrypt wherever possible, since it reduces attack surface.
I definitely agree on that open source backend is great, but you still cannot verify that that’s the code running on their servers. Open source frontend is much more important IMO.
This is why end-to-end encryption is paramount. You could be using Gmail as your provider for all I care as long as your messages are GPG-encrypted. Even if you trust the server-side completely (e.g. self-hosted), it’s still better to encrypt wherever possible, since it reduces attack surface.