As a parallel example, I as a user can 100% trust, e.g. lodash library to use in my projects. It's open-source, popular, traceable by the large community and there is literally no place for any backdoor, hidden tracking and so on.
So, what if I want my service with all its infrastructure, data in databases, incoming and outgoing connections to be 100% transparent, open to be investigated and audited?
Disregard the problem of data privacy and sensitivity - assume that there is no such data.
Problems I see:
- When I create a commit/push to the codebase, then run CI, how do I as the owner can prove that exactly this build goes to production without any backdoor being added to it when deployed?
- As a user how do I know there is no hidden process running tracking events, data writes in background while I am performing some action?
- As a user how do I know the monitoring/audit tools provided by the owner are not fake and show exactly the state of the service?
- Is it even possible in reality to create it the way when an arbitrary user, having some level of expertise and some level of access to the system (in order not to bring harm) could say that the system is completely clear in all its incentives, data and processes?
As for your question, if the entire source code of your application, including the CI, is open-source and anyone can read it, anyone can see whether the system really is closed with no option for backdoor or exploit, or if there's actually a way to corrupt it.
Remember 0-risk does not exist, therefore 100% reliability does not exist either and 100% trust should not exist. As soon as the program is even slightly complex all it takes is one tiny well-hidden unintentional bug to introduce a vulnerability that makes your service exploitable.