I for one am going through quite a culture shock. I always assumed the nature of FOSS software made it immune to be confined within the policies of nations; I guess if one day the government of USA starts to think that its a security concers for china to use and contribute to core opensource software created by its citizens or based in their boundaries, they might strongarm FOSS communities and projects to make their software exclude them in someway or worse declare GPL software a threat to national security.
Actually - a lot of closed source programs are still vulnerable to the supply chain attacks you mention where a bad actor has got access to their codebase. This has happened and been reported on, plus Iβm sure, plenty of occasions where it was hushed up for reputational reasons. And - much commercial software still uses FOSS dependencies, so is also vulnerable to the same situation you describe for that. Worst of both worlds.
I donβt think either system is inherantly better than the other in terms of computer security. Each has different and overlapping vulnerabilities.