I'm pretty sure this part is true-ish but also . . . misleading? End users are trusting the vendor not to create a backdoor hack into themselves at any time. For example, I don't think it would take much of anything for a given vendor to harvest their customers' account passwords to their site...