All Brave code comes from a single source and is controlled by a single entity.
As a hypothetical example, imagine that Brave is sold, and new owners changed the code so that 50% of the tokens go to the PRESIDENT RE-ELECTION FUND, instead of the website user looks at.
There is no "changing the code". That's not how smart contracts work. The code[1] as it was written and deployed is on the ether blockchain and will remain on the ether blockchain in its current form so long as the blockchain remains existent. It is set in stone.
Brave could make a new BAT token and point their browser to use it, but they don't get to do anything with the original code controlling the tokens everyone is already using. It cannot be disabled, modified, or deleted, by Brave Inc or by any person.
> Brave could make a new BAT token and point their browser to use it
This by itself is strong proof of centralization. Brave can unilaterally make this change and give themselves total control over BAT 2.0 while leaving the original BAT worthless.
Brave can release whatever software they want, but they maintain no control over the original token. The token maintains whatever worth the larger market assigns to it, and if there isn't majority buy in with NuBAT, it simply won't be used. Brave being open source, large enough dissatisfaction would result in the browser being forked with the original token in play.
As a hypothetical example, imagine that Brave is sold, and new owners changed the code so that 50% of the tokens go to the PRESIDENT RE-ELECTION FUND, instead of the website user looks at.