(a) it’s not really theoretical, considering both their public stance on it and the design choices that they’ve made; (b) “but they might change” is a bugaboo that could apply to anyone. An open source project could get compromised, taken over or bought by a malvertiser who replaces the software with a signed malware - and we have ample evidence that this has happened before to many projects (e.g. Chrome addons).