The only 100% sure-fire way would be for you to read the code, understand it, compile it, and deploy it. Along with this you also need to trust all of the dependencies and libraries (e.g. libcrypto, libssl, libssh, libsodium, argon2 libraries, etc) that Strongbox uses. Further, do you trust the machine that you are running on? Could there be malware installed? How about the hardware, could it be tampered with? There is no another way for you to avoid having some trust of some part of the process and dependency stack. At some point you are left having to trust someone or something to some degree at a point where that’s comfortable for you.
Perhaps then, the best argument for trust comes simply from assuming a degree of self-interest on out part (Phoebe Code Limited) as a commercial endeavour. Strongbox has been around since 2014, and has been a commercial operation since 2017. It would be terrible for our us if there was ever any issue with Strongbox. This would mean a total loss of income for all the work that we have poured into it over time. On top of that, consider the legal ramifications of doing something nefarious. Strongbox isn't developed by some unknown random developer in a country with a dubious justice or tax system. Strongbox is developed by a fully registered UK based limited company (Phoebe Code Limited). There are full records of ownership, accounts and responsibility is easy to place. There are easier ways for indie software developers to make money. Spending many long years developing an app in the hope it becomes successful enough that, one day, performing some criminal actions in the future is a good idea. It would also be extremely obvious if Strongbox did this. Anyone can just monitor network traffic or reverse engineer the App and spot this. All it would take is one person to notice it and the App would be toxic and unusable and Strongbox/it's owners would be in severe legal trouble.
We care about this issue and we try to be as open as we can be. We have an entire FAQ dedicated to network traffic where we specifically link to tools can use to monitor Strongbox. We also enumerate the connections Strongbox can or must make. It is difficult to satisfy a question of this sort but it’s an understandable question. How do we prove a negative?
Strongbox reputation is flawless and but it is ultimately built on the trust of it's users and community. There doesn’t seem to be any easy or simple way around this as a small independent business. At the end of the day it’s always going to be your call whether you use Strongbox. At some point we all have to trust someone or something, somewhere along the line. We hope we've earned the community's trust and yours but if not we'll keep trying.