It's not the gapps that makes it more/less open source. AOSP has always been open source. But if you want source access to all of your applications, then it's either AOSP or Mer. Sailfish is not open source by any stretch of the imagination. But Nemo is...

I actually think this is a good question that I cannot answer. To be extremely honest, I just assume that any point of entry to the Internet is susceptible to being snooped. How much it reports on you on the actual device is a true concern. Google wants to know about you. So does Apple. So does Microsoft.

If you want truly secure, I'd suggest no device is the only true answer.

Thanks for clarifying your position though. Security on a device you "own" now is a rare thing. And we've, as customers, allowed that to happen.

Good luck on your search.