The binary blob is not built reproducibly which poses security risks. Although there seems to be kind of a mechanism for Mozilla to verify things:
Mozilla and Cisco have established a process by which the binary is verified as having been built from the publicly available source, thereby enhancing the transparency and trustworthiness of the system.
The download uses essentially Mozilla's "cert pinning". We might want to have something stronger in place.