Either way, the issue is trust. With popular/widely used open source projects, you can at least democratize trust to some extent (many people have worked on this, and many more have used it). Smaller projects are more risky. This is true for proprietary software also - generally, Microsoft is putting effort into fixing vulnerabilities in their products, but if you buy specialty software from a small business with a registered address in Ireland but actually based out of Moldova, they will probably have different quality standards.
Whether open or closed, you should try to understand the incentive model of the developers. Is it paid software? Is there a license agreement? Is it ad supported? Or donation supported? Is it a volunteer project? Is it collecting data about its users?
Some open source software is developed by companies but distributed freely. Bitwarden is a great example of this. It’s probably the best password manager out there right now. It’s free for individual use and for self hosting. The company makes money by selling implementation and support services to businesses. This model has a lot of benefits, and the code projects that come out of such companies are generally very stable and trustworthy.
The trust issue is slightly different in form between open and closed source, but ultimately it’s the same issue. If the security of what you’re doing matters, then you need to know who you’re working with and whether their interests align with yours.
Consider Framework, which is modular and designed to be user repairable and upgradeable, with the intent that the full unit never needs to be replaced.
It’s not as cheap/lightweight as you had in mind, but I think the cost calculation changes if you can plan to get more than three functional years out of it.