Real question : how do you verify that the source code matches the code of the service you’re using? Is there some service that builds and hosts and you can verify what it builds against the hosted location?

You can only ever really ensure the client you use wasn't tampererd with, by carefully reading all of its source code and then building it yourself. For every update.

Realistically, you will always need a minimum amount of trust, just don't misplace it.

The minimum amount of trust is clearly a lot less for open source software because anyone can view the source and whistleblow vulnerabilities (and many will regularly do so to contribute or modify it anyways).

Also, compiling and verifying software updates is pretty easy for typical application programs. I do it for cryptocurrency software, you just look over diffs and make sure it matches up to the changelog.

yes, this is exactly what open source "app stores" like f-droid do: reproducible builds. Also it is pretty trivial to compile it yourself to confirm.

Doesn't matter if the app is just an interface to a web server.

if it's just an interface to a web server, it should just be a web page not an app

Just because I can compile it doesn’t mean it’s the same as what’s being run on the service.

The build and what’s hosted have to be the same.