No, we most certainly do not.
Most of mine were checked for problems then rooted and rom'd (or worse) within hours of getting them.
But how do we TRUST these roms, rom sources are sketchy.
Not all are sketchy when it comes to phones, I know when I have I've only used reliable verified sources for phone roms/de-bloated OS's.
Verified by whom, have we met his parents ? How do we know de-bloat was all that was done.
IT SEEMS LIKE, If some nation state, say NK or Rus, would want to conduct espionage, they'd infiltrate by spreading tainted OSes and buying up VPN companies ?
Many of these are open source and some forums insist you post the code but how any actually check (same problem Linux has) but you don't need to do that to see what something is doing. Personally, if you don't know how to check what software is doing, either through packet sniffing or package inspection tools, you shouldn't really be doing this or you should wait for others who have or can do it, we all tear each others roms apart to see how they did things so we can adopt that stuff into our own so yeah, they really do often get pretty scrutinized particularly if you did something interesting or you're first on a device.
Don't forget roms take a LOT of work, you build it, then you have to backup, install it, test it, upload it for a few others to test (preferably), then open it up to others. Even a minor update can take hours of work and entire roms can take days, and then it can completely flop. As a new user it can also take a long time before people trust you and your rom, particularly if there's already tons available. Remember, they are extremely device specific, even minor (usually undocumented!) hardware changes will cause it to be rejected or have issues (thanks LG) so trying to make a rom built for spying just to try an trick the community is a lot of work that WILL come crashing down on you pretty fast. You might get a few hundred installs, half will ditch it pretty fast (they're just experimenting), so now you have 50-150 people using it at best and for how long? How much ad revenue and data can you scrap from 150 people before they realize you did shady things or move onto the next rom they find?
Don't forget you ideally need the phone for testing and that will easily blow that budget, it can be done without the phone, I've done it, but it's more difficult and you really need experience and a user base willing to trust you before you can really get away with that. Being first to develop a rom gives a massive advantage, but for that you pretty much absolutely need the device, and you will probably be the one to crack it, all of that takes even higher skills and you will probably brick it and have to figure out how to unbrick or buy another, that's all more time and money.
If you have the skills to make a rom and do this you have more than enough skills to make an app (or copy, steal, modify an existing app) and that can be loaded onto thousands or hundreds of thousands of phones and it takes a fraction of the time. It just doesn't make sense from a malicious behavior sense or a monetary sense because your user base is just too small to make it worth your time.
By the way, I've seen roms get ditched quickly by people after they found out it used something without permission and I've seen roms get dumped through no part of their own because they simply included software (usually a launcher) was later was found to have malicious code. The community actually self regulates pretty well as far as malicious code and they will run off anyone they feel is dishonest pretty fast. Unfortunately there are massive egos involved and they can also be a bit over-zealous, I've seen them chase off a lot of good developers to other websites with the largest rom forum being the worst for this behavior, there are sections of that site that are just straight up toxic.