Sorry. I was misleading there. I edited it. The password is hashed and salted. I meant that admin can collect the password in plaintext only if they wanted to

I didn’t look at Lemmy’s source but I’m pretty sure it is hashed. The thing is, password is hashed in the database only to protect users in case database gets hacked. But a bad admin of the server can always just change the code and nobody would know. When it comes to websites, open source doesn’t provide any additional security, since everything that happens on the server is a black box. I’m not an expert on this though. Correct me if I’m wrong

It’s not just upvotes and downvotes. Instance admin also knows your email and can store your password in plaintext if they want to. It’s up to user to decide whether to trust the instance admin