> For example, they could be forced to first publish an update to all devices (through the third parties) which disables the third-party-checks.

And the device wouldn't accept it. If I subscribed to an organisation over which USG has no sway, say Computer Chaos Club from Germany, then my update wouldn't be accepted unless additional signatures were provided from them. Unless USG forced Apple to abandon such scheme for everyone then they would be powerless to backdoor individuals. I'm also not sure how relevant this is here, but in US it's been established that software is speech and is protected by the first amendment so there are limitations to ways in which US can influence Apple.

So you expect other communities to review all code changes? No way. This would be a huge time sink, and so far has never worked in the past.

This only works for very narrow-scoped projects, where the reviewers are also part of the project. Thinking or OpenBSD, Qt or other projects where peer-review is part of their internal structure.

So if other communities were to sign the releases, this would have to be automatic or semi-automatic. It would not be a review, but it would be still helpful, since those external observers then can see all releases in hindsight. So maybe years later some people are finding stuff and can trace it back to the point in time and the exact update by which it was introduced.

> So you expect other communities to review all code changes?

No. Third parties would be just a barrier against odd updates that don't hit everyone. If update starts hitting everybody then it's probably harmless because everyone is getting it, if it appears just at 10 clients then it's probably a backdoor.