How can you be so sure? Even after reading all the source code, there still can be bugs, attacks, demanding letters from different agencies, misconfigurations, vulnerabilities in code and in libraries, etc. etc. etc.
If your threat model is the NSA leaning on a developer to ship a compromised build, KPMG is not going to catch that. If it’s that you’re going to use Transmit to connect to a server which is compromised and exploits your client to exfiltrate your Drive files, guess what else they’re not going to prevent?
It’d be one thing if Project Zero was running serious audits but this policy is designed to let them check audit checkboxes so when you lose data, it’s hard to sue Google.
exposed to the internet and connected to the internet are different. Exposed implies that traffic originating from the internet reaches the app. You still do have to worry about things like parsing malicious files, but the class of relevant attacks is much smaller and generally easier to defend against.
Everything's connected to the internet, what the OP was talking about was attack vectors and since Transmit is a local app it really isn't one unless your whole machine is compromised, which in that case you're screwed.
There are lots of ways a local app can be compromised. It can read a local config value unsafely which can be influenced by some other app that does talk to the Internet, for example.
There's a reason why airgapping is the only way to secure important systems (and of course that can also have a number of vulnerabilities).
And besides, how do you know it's a local only app if you haven't audited it?
