> Regarding your last point, for the vast majority of open source SW releases, we can never be sure if the release we get is produced from the same code we see. I do not know if that is the case with VScode addons, but you get my point

You actually can depackage vscode's .vsix files (it is just a zip file) and compare the package contents to the repository.