I don’t believe there’s been any official response regarding any of these recent discoveries, though browsing the Twitter feed seems to suggest OnePlus has been in contact regarding the root access issue.
You’re certainly correct, but I think it’s about getting as close to sure as you can get without being severely inconvenienced or otherwise impacted. I’m not going to compile my own ROM, but using software that’s open source makes me much more comfortable than not, because at least we know there’s not a glaring security or privacy hole in the claimed implementation.
For example, I use ProtonMail, which is an encrypted email service located in Switzerland that doesn’t require any personal information, and claims not to log IPs. Now, they’re encryption algorithm is closed-source, with their apps being open. While it would be ideal to have the algorithm public, and even then you couldn’t be sure that their implementation in reality was the same, I still feel worlds better than using Gmail – whom we know tracks us and sells our information.
Now, of course in theory, the best option for email would be to host ones own encrypted email on their own server. However, in practice this would be a ton of work and most likely far less secure in reality, because you really need to be diligent with server monitoring and security updates. As such, I’d much rather take my slim chances that something nefarious is going on behind the scenes, and have my services like email hosted by a reputable source with teams dedicated to securing the implementation who have greater knowledge (and time) than I’d be able to dedicate.