Please describe exactly the software change you imagine would produce this result, and describe how it gets from the attackers head onto the machines where it needs to run.
In other words I think you have hanwaved and imagined 2 different required things which probably simply don't exist. Or at least, may exist but could easily not exist.
There may be no such thing as a software change that will give a back door to the data. It depends hpw the system is designed, which I do not know.
And there may be no such thing as a way to get such software change onto customers machines without passing through review by multiple someone else's. Even if one, as owner of a business has the power to change the review policy itself, it's still physically impossible to do that without everyone else knowing it happened.
tarsnap would have to be a sole developer sole propriator business (or a multi employee business run as badly as crypto custodians aparently all are) for that to even be physically possible. Which maybe it is but it's not the impression I've formed of that company over the many years. Not a customer, and know nothing of either the software or the company's internal workings.
In other words I think you have hanwaved and imagined 2 different required things which probably simply don't exist. Or at least, may exist but could easily not exist.
There may be no such thing as a software change that will give a back door to the data. It depends hpw the system is designed, which I do not know.
And there may be no such thing as a way to get such software change onto customers machines without passing through review by multiple someone else's. Even if one, as owner of a business has the power to change the review policy itself, it's still physically impossible to do that without everyone else knowing it happened.
tarsnap would have to be a sole developer sole propriator business (or a multi employee business run as badly as crypto custodians aparently all are) for that to even be physically possible. Which maybe it is but it's not the impression I've formed of that company over the many years. Not a customer, and know nothing of either the software or the company's internal workings.