I'm totally with you regarding the desire for reproducible builds and having access to the code. But the FOSS world is not what I had in mind when posting my last post, as you rarely are forced to use a specific app there.

I was looking at big companies (banks, public transport etc) where you see tendencies towards app exclusive services. The best example may be online banking apps, for which you often see issues at TJC from nordic users: either you install and use the app, or you can't access your online banking.
The sad truth here is that there usually is no possibility to get a look at the source code. So, sure, they could include a crypto miner or something like that, but I'd say the chances for that are quite low in these cases. The bigger issue is that more and more companies go "all in" regarding data collection: try to grab as many data from users you can, maybe they can be useful (and sold) in the future. In this case, App permissions are essential, since with them you can use the app without the fear that it "steals" your address book or is constantly spying on your location.
I have to say that Google did a good job regarding this permissions in the newer Android versions. Wouldn't Android itself spy on the user so massively, it would be a great privacy-friendly system. And this is where SFOS has its advantages in my opinion: If we get similar app permission features as Android, we have a privacy-friendly base system (opposed to Android) and can get much more privacy for Apps which are (unfortunately) essential for the user.