It’s a lot easier to scan for very specific code behavior than it is to scan for “anything useful for espionage”. And that still wouldn’t solve the question of what their server software is doing or where the collected data is ending up.

If the code were static and unchanging, sure. But it’s not possible to conduct such analysis every time an update is issued on a continuing basis, without fast becoming a hundreds of millions of dollars or more program.

So the better question isn’t whether it’s possible — it’s whether it’s feasible. And the answer is no, it’s not.

It also can’t track the users nearly as well.