Copay was open source.
But as I have said countless times. Open source and build verified still does not prevent bad coding. Or as you mentioned a supply chain attack.
It just allows more people to see the bad code and report it and get it fixed.
And also as I have said countless times. Open source don't mean shit if people don't verify the source vs compiled that you are downloading. And lets not forget the HOW SECURE IS THE PROCESS OF UPLOADING THE APP TO THE VARIOUS APP STORES.
Everything else could be perfect, but if you don't secure that system then you are not secure.
Alas, security is not easy at all, even while doing everything you stated above, you have no way of knowing when a Microsoft employee simply changes the code on Github and gets you to compile their version of the code, you need to read the whole code again and make sure it doesn't send your private keys in plain text over the internet, it's almost impossible to be 100% secured.
Of course, that's just over-exaggerating the matter, but just because it's unlikely -- it doesn't mean it can't happen, I saw a discussion on reddit the other day in regards to this subject, someone said "I'd rather just use an exchange so that if I lose my money I got someone to blame".
This brings an interesting conspiracy theory that, all of these hacks are not done for money, but for a greater goal, they simply shape the path to custodial wallets, at one point, banks will take over and will provide custodial services, where your
BTC is insured by large insurance companies or the government itself, those two have deep pockets and will be able to track and potentially catch whoever steals anything from "them", so it becomes a choice of keeping your
BTC"safe and insured by the government" or "at high risk" being in your custody, essentially, turning
BTC into another government-controlled asset.