I sometimes find it hard to trust other people's code. For example, recently I wanted to know how configuration file affects request processing in nginx. That was no fun at all. Software engineers trust nginx and deploy it a lot, yet they probably wouldn't be able to chart out the internal structure of it off the cuff.
It is said that many eyeballs eyeballing the code over time makes it more trustworthy. But do these eyeballs look for that inspires trust?
(I'm not meaning to single out nginx, it was just at the top of my mind as an example.)
For smaller stuff, what comes to mind is chrome extensions. Whenever I install some sketchy looking chrome extension like "user agent switcher" that requests permission to work on every URL, I always check the source code of the extension for any code that might exfiltrate data to external sources. Usually the source code is minimal and this only takes a few minutes. I do a quick scan for any code that is suspiciously obfuscated or seems to make an XHTTPRequest to a sketchy site, and if I see anything like that I "nope" right out of there.
It also comes down to what your threat model is and what you're trying to protect yourself from. If you know that, then you have an idea of what specifically to look for.