some idea: what about using a syncthing silent canary? https://canarywatch.org/
Who would do that and what for?
I run most of the few centralized things there are. I’m Swedish. The US has no official power over me and can ask whatever they like for a pleasant “no” in return. And I can’t really do anything to get at people’s data. I doubt anyone else can either.
I guess possibly I could try to insert some backdoor somewhere on someones behalf. I haven’t done so, and noone has asked. That could be a lie of course, but then the canary wouldn’t help either. 
you could 
to make sure there was no National Security Letter from whoever 
doesn’t make it sense for open source too?
But I don’t need to. That stuff is just for people under US jurisdiction who can’t say “I received a national security letter”. They can send me one if they like but it doesn’t mean anything because I’m not under US jurisdiction, so I can ignore it and tell the world about it as much as I like.
The same goes for the other core developers btw.
Silent Circle LLC and its principals and employees will in fact comply with such warrants and their provisions for secrecy as legally prescribed by US law.
That super-duper-doesn’t apply to me.
I’m not aware that there’s a Swedish equivalent btw, if someone was worried about the Swedish government trying to extract whatever data I don’t have from me.
as you said - maybe for someone else in the team. whoever finds a manually added security-hole, could delete the canary. It’s just for all users to be sure, the integrity of the software is ensured. 
this control is one of the benefit of opensource - together with a canary, you could tell about to the users
Whoever finds a manually added security hole would no doubt post it to Reddit for fame and internet points, so we’d all know.
hopefully 
not.