Meanwhile, run a tcpdump and look for suspect connections. Trace them back to their source and prove that the packets contain any data that violates Jolla's privacy policy, then I'll start to subscribe to your conspiracy theory.
I don't think the bits like Alien Dalvik, Exchange support or XT9 should be counted, as they're licensed from third parties. Jolla open sourcing someone else's work after leasing it from them just doesn't make sense
If you've a problem with unauditable code or proprietary binary blobs, I have some bad news for you: Anything you use day-to-day has arbitrary code that isn't open to public scrutiny, unless you have the good fortune to own one of a handful of older Thinkpads (or a select few other notebooks) or some one-off smartphone with a fabled open baseband.