By a 'zero trust' security philosophy, anything short of completely open source is inherently untrustable.

You may not be practicing that philosophy, but that doesn't make those who do "paranoid" any more than corporations implementing PCI-DSS controls.

Security does not work retroactively, only proactively.