What is a way in which you could disprove this?

How could you disprove that the Ubuntu ISO doesn’t do the same thing?

Well apart from monitoring network traffic, with Ubuntu you can examine the source code for anything that you don't trust or dive into what system calls an application makes by using "strace".

How is this different for Windows? Can’t you monitor Windows network traffic as well?

Does Ubuntu provide reproducible builds? How do you disprove that the source code isn’t for the thing that you’re downloading?

The (not so) revealing thing here is that this isn’t a technical problem, but that Microsoft has just completely lost the trust of people.

even without reproducible builds, you (or someone you hire or someone who's motivated) can get the source and create a drop-in replacement.

This is even more true on some other distros, eg Gentoo.

Without source and rights, Windows fails completely here.

Well you can try monitoring Windows network connections, but Microsoft do seem to love obfuscating it with connections to multiple different domains that they own.

You can't even look at the Windows source code, so your question about reproducible builds seems to be moving the goalposts somewhat.

Also, is there something like "strace" on Windows?

Edit: just looked it up and Ubuntu doesn't enforce reproducible builds, although with their new "Monthly Snapshots", Canonical is moving towards reproducible build pipelines.

What is Ubuntu's source code worth for when you download precompiled binaries without checking if they were built with that source code?

That's your choice to do that and depending on your threat model, you may have some level of trust in Canonical to not screw over their customers.

I asked my original question very deliberately.

At the end of the day, it’s just about trust and reputation. I see no technical difference here for the ability to disprove random claims.

The necessary technical and UI/UX difference would be capability-based (https://en.wikipedia.org/wiki/Capability-based_security) microkernels like Sel4 or Genode combined with high level user interfaces that allow one to monitor and control the rights and actual resource access and usage of programs

However, it is possible to audit the Ubuntu software against the source code which is something that you cannot do with Windows. That is a technical difference even if you don't acknowledge it.

Also, Linux does make it much easier to determine your level of trust as the different components can be analysed/verified independently (although systemd is a bit of a monolith) whereas it's a lot trickier to isolate Windows components.