Indeed it can! After… really very much more work than ought have been required.
I don’t think it changes much. “Open source is more secure” as an argument more or less asserts that because one can evaluate code from an adversarial perspective, people are evaluating code from that point of view. Sometimes it’s true, sometimes it’s not. I would, however, wager that people think it’s true far more often than it actually is.
Having done red teaming in the past, the vast majority of programmers just don’t think about things from a “How could this be abused?” perspective. It’s not a particularly hard skill to teach (for a while, I was one of the regular instructors for a course on it), and often you can watch people’s eyes light up as they realize that “thinking evil” is both fun and useful. We had an “Evil Thought of the Day” club for a while, just to practice.
The other, and IMO bigger, problem is that things are often totally fine when they’re designed and implemented. Then, 10 years or 20 years later, they get asked to do things that they were never designed to do, and while they appear to do it on the surface, there are weird things that break. Page tables weren’t designed assuming they’d be holding security-sensitive information - knowing someone else’s page mappings was interesting but gained you nothing useful. Then, ASLR/KASLR came out to block classes of attacks, and it turns out that page tables leak in a wide variety of ways. It just didn’t matter when they were designed. I would assume in this case, the same applies - “split repos” were never part of the design criteria, and that one could have multiple mirrors was a redundancy/availability thing. Start having internal and external repos, and, whoops. You violated an implicit assumption in the design, and it breaks somehow.
This is depressingly common for browser extensions. Some extension is well done, works as advertised, is popular, and eventually the maintainer either gets bored or someone makes a very compelling offer for it. New maintainer turns it evil, it auto-updates, and, hey, quick buck.