I remember times when supposedly low Opensource software quality was a constant complaint. On the other hand I think taking Linux as an example, I always found it to be significantly more stable than Windows.
That said, it's a funny choice for Manjaro to go for opt-out telemetry. As a simplified Arch it seems to be popular among privacy conscious users. (But I don't know the project goals, maybe that's just coincidental)
Opensource contains many things, but IMO limiting to core/ packages on arch and never installing anything from AUR will get great quality software, with far better security and privacy than similar proprietary software.
If one is very interested in security and privacy however, using VMs for isolation of different apps or services is important, so having an OS that helps that is useful.
Bare arch _can_ do this, but requires quite a lot of script development.
Qubes seems to be the answer many grab for, though much is still written in C, which comes with all of the vulnerabilities mentioned constantly. So, something like https://diosix.org/ (a Rust-based hypervisor for Risc-V) is a great option to make a start towards decently secure system. Of course if your threat model includes state actors or something, you're SOL (change your perspective or what you're doing) since they always have an easy backdoor into any hardware, but sometimes things like diosix can protect against the constant script kiddies and other individual hackers.
That said, it's a funny choice for Manjaro to go for opt-out telemetry. As a simplified Arch it seems to be popular among privacy conscious users. (But I don't know the project goals, maybe that's just coincidental)