So is trust. You can’t possibly audit the source of every piece of software that touches your life, even if all of it were open source. Hell, things like Heartbleed or Shellshock sat in OpenSSL / Bash for 5-10 years.

Trust isn't healthy, when you're worried about cybersecurity. The economics of trust work differently in real life than at web scale.

Heh. Heartbleed is my go-to example why we should be skeptical of the security of all software.

If you don't trust an open-source program due to the possibility of e.g. Heartbleed, then it's only reasonable to trust closed-source software (e.g. the majority of macOS, including in all likelihood the parts of it controlling the camera) even less.

Then we agree.