There is a serious concern in that. Spy agencies buy and commission zero-day exploits. Compared to the cost of satellites, they can easily spend so lavishly that exploit authors have an incentive to worm their way into open source projects. That quite a bit less direct than buying or commanding a back door in a proprietary product, but it's going to be difficult to defend against. It will be interesting to see if such shenanigans are ever uncovered due to the "many eyes" approach.