How do I know that any code does what it says and nothing else? Regardless of who wrote it and how open it is?

"The code is open, you can check it."

I know I can. But I have neither the time nor the capacity to inspect millions of lines of code. Literally anything can hide in plain sight. And even if I could, how can I be sure that the installed binary matches the source? And even if I could verify that, or build it from sources myself, I would still have to check the code of all the build tools in case they insert some "goodies".

"Others have checked it for you."

Have they really? Or is everyone relying on someone else doing it? And even if others had checked it for me, how can I be sure that they would share their findings with me? What if they added some goodies in, exactly because the code is open and thus allows them to do that, and are targeting me?

I am not saying that I believe any of that BS. I am not that paranoid. My point is that there is no guarantee that the code is doing what it says, regardless of whether anyone "independent from MS" has access to it or not. You do not trust Microsoft, but if you were really security conscious, you would not trust anybody.