Given the amount of scrutiny # is put under, considering how many companies and organisations rely on it for security, I personally trust that the community would've screamed by now if there were any source backdoors ;)

I'd be more worried about package repositorys enabled for # and whether those are secured enough (and packages signed etc.)