If we are talking about bigger projects with hundreds of thousands or millions of downloads, than this may be true. But smal scale projects have so few people actively looking through them that even to automatic scan done by the playstore has a higher chance of catching malware. It doesn't even have to be bad intent, two years ago there was a virus propagating trough the Java class files in minecraft mods which reached the PCs of quite a few devs before it was caught.
I don't dislike FOSS, a lot of the apps I use come straight from github, but all this talk about them beeing constantly monitored by third parties is just wishful thinking.
And you didn't understand what I said. While you can not monitor closed source at the code level, you definitely can monitor the apps behaviour. Even the automatic threat protection from the playstore protect function is worth more than the measly amount of people looking through smaller projects codebases.
I hate Google with a passion, but with all their control over android devices, they are more than capable of scanning apps for malicious behaviour and automatically removing them. These few apps in the article are the 0.01% of malicious apps that their algorithm didn't detect.