I'm curious how you think this can be analyzed effectively.
Yes, I'm aware of bytecode analysis, but that's a slow difficult process, and for browsers, the release cycle is short enough that by the time you're done analyzing the current version, a new version is out, and it's significantly harder and less useful to diff a binary, so you end up having to basically start the analysis over for the new version. Unless there's something going on here that I don't know of, that's simply not a viable means of keeping track of browser security.
Evaluating browser security is hard. Checking privacy guarantees is easy: you can just look at the traffic it generates. Vlad has a pretty simple and quite strong policy that Kagi doesn’t phone home unless you agree to it. If you find it does otherwise (should be pretty easy to monitor) you should take it up with him.
Malicious software has a long history of detecting monitoring so it can avoid detection. A closed-source browser with backdoors can detect Wireshark, Little Snitch, or whatever you're using to detect outgoing connections, and not connect while those programs are running.
The problem is even more insidious when you're making regular expected connections to a site that the browser creator controls. Many (most?) Orion users are already connecting to Kagi on a regular basis, so they can simply wait until the user logs in to Kagi and smuggle out the data they've collected along with the login request.
In the most extreme case, the browser can not exfiltrate any data at all unless triggered to do so. In this case, the attacker targets specific victims to exfiltrate data from, but avoids exfiltrating from any security researchers or knowledgeable users who might be running software to detect the exfiltration.
In short, the goal here is for those of us with more knowledge to be able to verify the software for every user, because not everyone is capable of monitoring their outgoing traffic effectively, and it's far too easy for backdoored software to simply not phone home when it's being monitored.
This is true of open source software too. At some point you have to trust that the software you run is not designed to act like malware, because if it is actually backdoored your life is going to be miserable regardless.
Huh? It's not true of open source software at all.
With open source software, you can read the source and verify that it doesn't have backdoors. With reproducible builds, you can verify that distributed binaries are the result of building the source code you've verified.
Honestly, if you couldn't figure out that this was going to be my response, you simply don't have the knowledge to be commenting on this topic. I didn't come up with anything I've said here myself, it's pretty basic, widely agreed-upon understanding of why open source is generally more secure. The only people who actually know the topic who "disagree" on this generally have a vested interest in some closed-source software they want to be seen as secure.
It's proprietary. There's no way of knowing that it's private.