This doesn't mean that any 3rd party with source code access could omit telling Jolla about found security bugs and use these as backdoors. Also an NDA doesn't guarantee that source code won't get leaked even trough it's prohibited. Just look at the recent leak of iBoot code. As I've understood from your picture Jolla doesn't have access to Sailfish RUS specific source code meaning backdoors could be inserted without Jollas knowledge. Only into the RUS specific version though.