If you don't actually audit the hundreds of thousands or millions of lines of code comprising an open source application stack you don't have a guarantee of what's happening either.
Bugs like Heartbleed demonstrate that massive vulnerabilities can be introduced and persist in well-regarded open-source codebases for long periods of time without detection in spite of theoretical "millions of eyes". Heartbleed was, to the best of our understanding, the result of an honest mistake. What's to say that any significant OSS codebase with thousands of committers doesn't have a substantial number of subtle and less-than-honest "mistakes" of a similar character?
In proprietary software it's different. Proprietary software is less vulnerable to infusions of backdoors from untrusted sources and side channels. Proprietary software can only be audited by the developers themselves, and it will depend on the kinds of resources the developers can bring to bear directly. Companies that can afford it can dedicate large teams to reviewing and testing their codebases.
That open source code can be audited by third parties is only relevant if it actually happens, and otherwise you have only a false sense of security.
Unless you're trying to demonstrate why. It doesn't seem to be the case here, but you could probably get the point across better if you simply showed people how much information you could gather about them.
