> No trust for Chinese products from Chinese companies

That's fair but Espressif is wayyyyyyy more open than ANY Western chip maker. The entire framework and toolchains are open-source for one thing. You get listings and sometimes pseudo-code for the internal ROMs (though no code). You get full access to datasheets, technical reference, and sdk documentation. Everything in their SDK is documented. You even get help on github. All of that accessible to anyone anywhere at any time.

Contrast that to the last time I worked with Nordic in a professional manner, I had to sign NDAs to get the full documentation and toolchain. Their toolchain contained binary blobs that when inquired about you get told "don't worry about it ;)" which is shockingly frustrating when a crash occurs in them and you're left trying to work around it. And if you're not a professional you're basically SOL and left with half-baked community toolchains, when they exist for a particular chip.

> Contrast that to the last time I worked with Nordic in a professional manner, I had to sign NDAs to get the full documentation and toolchain

That has to be at least 5 years ago, but even back then, 99% of their software was out in the open. Now, their SDK is open source, their official toolchain is based on the Linux Foundation's Zephyr toolchain and their docs are open and buildable. Their support is done on an open forum and complete data sheets are available both as PDFs and (with the exception of the nRF51) as web pages. They aren't allowed to publish their LTE stack because of operator licensing, their Bluetooth link layer is still distributed as a library and some upcoming SoCs aren't publicly available yet, but aside from this, they're as open as they can possibly be.

If I'm not mistaken a very significant part of that is due to hobbyist interest in the chips, not in the least by Sprite_tm (also a HN user, now employed by Espressif).

The ESP8266 essentially started out as a wifi modem, responding to AT commands transmitted over serial, but going from there to a full standalone device relied on a lot of work by enthusiasts[0] and a leaked proprietary SDK[1].

[0]: https://hackaday.com/2014/09/06/the-current-state-of-esp8266...

[1]: https://tweakers.net/reviews/7992/community-interview-sprite...

The vast majority of people who use ESP-32 smart devices, however, probably just give it the password to their WiFi.

Sure, but if one in a million people bothers to check what it is actually sending through their router, then any malicious activity would get detected and disclosed to the public - and since that hasn't happened, we can assume that it isn't happening on a large scale.

There is of course a limit to how much damage a device with such limited capacity can do.

And with the amount of tinkering that happens with these, if it were calling home someone would really have figured it out by now.

Some stick them on unrouted lans. But that may not preclude mesh like activity between restricted and unrestricted ESP-32's that are close enough to see each other.