Professional audits happen for big projects, and hobbyists audit the programs they use frequently. In addition, some projects adhere to the reproducible builds guidelines, which ensures the packages you’re receiving are identical to the upstream repo. There’s more work to be done in formalizing and automating these processes but this isn’t a major issue by any means
Just make sure they know anything they put on these big tech platforms are there forever, regardless of what claims they make about “disappearing messages” etc. Do your best to guide them towards encrypted services for their own protection. As much as I hate this, iPhones are a decent recommendation in the US since almost every young person uses iMessage as the default, and that has end to end encryption available. Work to inform them on the dangers of corporate spying and profiling, as well as data leaks and security, and let them have some sovereignty over their platforms. Keeping an eye on them is good; isolating them from important modern social circles isn’t. Inform and educate first and foremost
Vaultwarden is perfect imo
As somebody else mentioned, using a computer and just taking calls there would work and give you solid control over microphone activation etc. If you really want the landline experience, look into adding a USB handset to that setup. It’ll just act like a mic and headphone from your computer but in the classic phone form factor