I have to assume you have never worked on security cataloging of third party dependencies on a large code base.
Because if you had, you would realize how ridiculous it is to state that app security can't be assessed until you have read 100% of the code
That's like saying "well, we don't know how many other houses in the city might be on fire, so we should let this one burn until we know for sure"
> Change in a single line of executed code (sometimes even a single character!) can be the difference between a secure and non-secure system.
This is kind of pointless, nobody is going to audit every single instruction in the Linux kernel or any complex software product.
It sounds like your salary has depended on believing things like a partial audit is worthwhile in the case that a client is the actual adversary.
Except Meta is not an adversary. They are aligned with people who want private messaging.
What you are saying is empirically false. Change in a single line of executed code (sometimes even a single character!) can be the difference between a secure and non-secure system.
This must mean that you have been paid not to understand these things. Or perhaps you would be punished at work if you internalized reality and spoke up. In either case, I don't think your personal emotional landscape should take precedence over things that have been proven and are trivial to demonstrate.