How do you know you can trust your password management app?

I use a version of KeePass on my phone and it's a life saver. But I read recently about a chrome extension that was purchased by a bad actor that added an exploit. The Freenode take over also has me thinking. And Kaseya, SolarWinds, etc, etc.

If a password manager was ever sold/taken over, an app update could silently give access to all bank accounts, retirement accounts, crypto wallets, etc. for any or all users of that app. This is tremendous risk. Unlikely? Supply chain attacks are becoming more common. Would a state actor have more trouble with a small app developer than they do finding 0-days in Windows?

Even if source code is available for password management apps, it can't be audited reproducibley from source because the required signing will change the package anyway. So I'm getting a little paranoid.

How can we reliably store our most important information safely without just hoping hackers don't get it?