Unless you're reading millions of LOC and compiling everything from source then you also have no guarantee there isn't a delta on any complex software you run.
Guarantees are hard to come by. That's where reasonable amounts of risk assessment enter the picture.
If you shift the trust just one allegorical bit you don’t necessarily have to read all the code; just compare the sha256 hash with a known git commit and scan through the recent changes in the repo.
Compiling from scratch isn’t necessarily such a big deal these days (guix/NixOS/gentoo for base system, locally built containers for orchestrated services).
Personally I’m fine with putting some level of trust in the maintainers of Debian apt repos but everything else I definitely do take a look at where it’s coming from and what’s going on. There’s a middle ground between fine-combing the source tree and blindly accepting whatever comes from arbitrary upstreams.
Ditto about Debian repos. But as for reading LOC's, comparing the hash won't help if a supply chain attack hit the code before it made it to a commit. I'm not actually advocate reading every LOC. I'm just saying that if you want to use just about anything, some level of trust has to be put in other people & other systems. It should always be a qualified trust though. a trust-but-verify (within reason).
Guarantees are hard to come by. That's where reasonable amounts of risk assessment enter the picture.
If you're looking for absolute certainty