Right, but this applies to big piles of security-critical software in general - a near tautology. It's really an argument in favour of my position that neither open-sourcedness nor hostedness are useful criteria in evaluating the security and fitness-for-purpose of a password manager.
No. If I trust the vendor today, and my code is open source, then I can control if, when, and how it changes. With closed source, the vendor can introduce a backdoor with every update. They can also force me to update by making the current code stop working by changing their servers. The potential for compromise due to an untrustworthy vendor is not zero, but it's vastly lower with open source.
