So a company makes a device and posts some open source software. But does that software actually match the software on the device? How would you have any idea? Couldn't they just slip a few lines into that code before shipping them out and not mention those on github? Are there independent reviewers that are somehow able to get a reliable full image and verify it completely?

And do any of the manufacturers publish their electronic schematics? If so do any independent reviewers sit down and test that with voltmeters?

If not verified fully, then I'm concerned that if I get one of these, there's a meaningful chance that it will turn out to have done something like assigning keys based on a known, deterministic RNG progression and that 10 years from now the developers will just crack all the wallets from a resort in Borneo and yoink everything.

Am I missing some reliable way to vet these things? If not, then what better options are there to more securely store btc?