It does matter, because you can’t self-host nore audit the code. What you say isn’t wrong, unless they were to use a public facing reproducible build system ofc. But at minimum, if their server side code isn’t open source at all then you can’t even verify if it’s completely vulnerable spaghetti code or not. Some transparency is always better than none at all.
The server side code doesn’t matter I’d it’s open source or not. You can’t be sure they’re actually running the code they’re publishing.
It does matter, because you can’t self-host nore audit the code. What you say isn’t wrong, unless they were to use a public facing reproducible build system ofc. But at minimum, if their server side code isn’t open source at all then you can’t even verify if it’s completely vulnerable spaghetti code or not. Some transparency is always better than none at all.