Sure, they could contract out with trusted third parties to review the code, but they would then need a mechanism to ensure that the binaries distributed to users matched the code that these trusted third parties were provided.
So yes, it is correct to say that it is not required that the project be made open source to corroborate their claims, but the alternative of keeping it closed source and having third parties verify every release is much more logistically challenging.
Step one in verifying their claims is providing the code. Step two is finding qualified people who are interested in reviewing it.
That review may never happen even if the source is available, but it's guaranteed to never happen if the source is not available.