Unfortunately even the best intentioned and best audited project can be compromised. So that is not a guarantee (sure, much better than closed source but that is a given)

You may be forced by a rubber hose attack (or legal one) to insert vulnerabilities in your code… and you have the traffic… a single point to attack… signal/proton/etc

Is it possible with two different vendors? Sure it is but it is way more complicated