Yeah, but usually with open-source software you get like 150 Github comments complaining and outlining their shady business practices... If there's something to complain about.
The XZ is an example for sth else. There are probably more backdoors in proprietary software that we just don't know about. And they can just keep it hidden away and force the manufacturers to do so. No elaborate social engineering like in the XZ case needed... And no software is safe. They all have bugs and most of them depend on third-party libraries. That has nothing to do with being open or closed source. If so, being open provides you with more of a chance to catch mischievous behaviour.