Imagine a state actor offering retirement money and a plane ride to a non-extradition island nation for a few commits. Assuming the contributor is using a VPN already, no one would know they were adding surreptitious backdoors in their code.

The only solution is to scope security relevant functions and add a multi stage formal verification process before freezing the commits. This assumes no collusion.