Honestly, there are humans developing these operating systems. Not only can humans' make mistakes, but they can also have "agendas" as happened here with this planned out scheme with xz.
So, by default. The answer is most definitely, yes.
Look at pfsense and when pfsense paid ugh, what...