It wouldn't matter how you signed in for potential abuse to occur if the app itself is untrusted, unfortunately.
The repository doesn't include all of the code that gets included in the app, because it has dependencies. It links those dependencies on the github page, but you have to verify that the dependencies being linked to are the ones the build actually uses. Then check that you like what's in those dependencies. At first glance, a forked version of one of the dependencies is pulled from his own repository instead of the repository linked on the page, so you have to make sure you aren't vetting the wrong repository. Then the release archives package in Electron for you, so that's another thing you're trusting if you don't build it locally.
It doesn't mean anyone is doing anything wrong, but even if they have good intentions good people pull in bad dependencies occasionally too.
Developers as people are innocent until proven guilty. Software is guilty until proven innocent, especially if there's a higher chance of a security risk. Not everyone can assess that well for themselves.
> It wouldn't matter how you signed in for potential abuse to occur if the app itself is untrusted, unfortunately.
> The repository doesn't include all of the code that gets included in the app, because it has dependencies.*
> Software is guilty until proven innocent
I'm not saying you're wrong about any of this, and I don't trust this app myself (mostly because JS dependencies are hard to trust for various reasons), but...
I also can't think of any usable app that meets your criteria for trustworthiness, including some made by Google itself.
At this point, building much of anything requires standing on a teetering tower of dependencies that users can't and won't audit.
The question becomes where one draws the line. I think drawing the line at "anything that touches my Drive files" is reasonable, but we (meaning computer users) spent decades downloading sketchy executables for our Windows PCs. Although many things are browser-based now, many of us still do download native executable freeware from the web.
If you think I'm not offering a better perspective, it's because I'm not. You're right, but total security also currently means using very little of the software that's available to us.
These days, I’m very careful what gets downloaded on my computer for just that reason. Dropbox for the Mac is a security nightmare and Zoom was doing shady crap before like installing a web server to redownload itself if you uninstalled it.
On the other hand, I download all sorts of random crap on my iPad because the security model won’t let apps do anything to shady without you giving it permission.
Same way we draw the lines between risk and reward in everyday life while still managing to function. Doing that with software can be a little less intuitive than stubbing your toe and learning from the pain, but it ends up not being that hard to maintain a low resolution threat model when you prioritize well.
A user with a basic habit wouldn't need to know how to read the code for this, because there are enough signals that you wouldn't need to get that far to decide not to use it.
> but we (meaning computer users) spent decades downloading sketchy executables for our Windows PCs.
This is sadly not a valid comparison. Our PCa have a far more critical role in our lives now, have far more power to hurt us, and are reachable by 1000x more malicious actors.
We are in a new, dangerous world. We need much better OSes with much stronger sandboxing for our modern world.
