If no one is actually auditing that code, or somehow confirming that the binaries shipped by your package manager match what the code compiles to, then you're still playing a trust game.
Trusting in open source software devs rather than a capitalist corporation definitely makes sense, but it isn't some panacea for "safe, nonspying software".
Also, dependencies on linux absolutely include programs I don't want. They just tend to be less obtrusive terminal programs and libraries rather than full blown UI based shit. Less visible, but far easier to sneak under the radar.