I don't read the plugin's source for every release, but I do check its domain allowlist.
Because I can see it is forbidden from running on any domain I'm concerned about, I consider BPC safer to run than any plugin that works for "all domains".
Usually, I restrict any extension to be "click to activate" and that works just fine. There is often no need to have anything running on every domain and every website. So it does ultimately become a whitelisting situation of my own configuration.