This is not entirely true. If it’s FLOSS, then the community can verify the code. Therefore, even if you do not do anything yourself, you rely on the community, which is much better than relying only on developers working with a secret code.
This is not true. Librem 14 has coreboot and Heads and receives microcode updates, and it’s among the Community-recommended laptops for Qubes.
The problem of Librem 14 is that Intel ME is not neutralized, it’s only disabled. This might make it more vulnerable to the thee-letter agencies.