If you have a build system capable of deterministically reproducible builds (at the level of individual bits), then the vendor can publish the commit ids for every binary, and users can build their own version from that commit and verify the signatures matched.
In practice, very few build systems offer this level of reproducibility. I've only ever seen this supported by the in-house build system at Amazon.
I tend to think that the number of companies explicitly vending open-source projects via binary distribution on the basis of their security merits is fairly restricted - it's mostly an issue for products like Signal.
You can still perform quite a bit of analysis by reverse engineering the binaries (albeit with significantly higher effort than inspecting the original source code).
If you have a build system capable of deterministically reproducible builds (at the level of individual bits), then the vendor can publish the commit ids for every binary, and users can build their own version from that commit and verify the signatures matched.
In practice, very few build systems offer this level of reproducibility. I've only ever seen this supported by the in-house build system at Amazon.