In most of the places I've worked, I would have assumed the same.
The thing is that there is no real technological solution that would instill trust in someone that doesn't already have trust. In the end, all such privacy solutions necessarily must boil down to "trust us" because it's not practical or reasonable to perform the sort of deep analysis that would be required to confirm privacy claims.
You may have provided the source, for instance, but that doesn't give reassurance that the binary that is executing was compiled from that source.