Your words, not mine. If they were afraid of malicious code coming from these sources they would’ve removed them earlier and not only after their legal department recommend these maintainers be removed.
Open source doesn’t mean that malicious code isn’t impossible though. For a project as large as the Linux kernel it is unlikely, but see the xz-utils incident earlier this year for example. https://en.wikipedia.org/wiki/XZ_Utils_backdoor
I don’t have any confirmations of your points
The kernel and its changes are open source, you can just look at the changes that were made.
Maintainers (not contributers or their contributions) associated with sanctioned russian companies were removed. The Linux foundation is a legal entity that has to comply with international sanctions.
If your university has a law faculty they might offer limited legal advice from current students for free or a reduced fee.
Even in that case the app doesn’t need to phone home. It doesn’t even need an internet connection on its own. You’d have to download the update yourself and then use the app to apply the patch, which is less user friendly to not-so-tech-savy users but possible. Just send an email with the necessary information to users who have subscribed to receive these kind of updates.
While I agree with the sentiment, the decision to remove these maintainers seems to have been purely legally based. It stands to reason that the Linux foundation will follow and remove sanctioned Israeli maintainers if they end up on a list of sanctioned companies/people.