I don't think that should be your primary concern. Of course such an OS could be compromised by developers who are incompetent or malicious, but the same is true of closed-source versions. In each case, you have to use your own judgement about the software which is run, which can be tricky. Here are some more specific answers about your concerns.
"This phone was bought in England and has nothing Russian about it, but when I use TOR browser on it the duckduckgo settings default to Russian results despite the exit node not ever being based in Russia. Something about the handset/app is suggesting Russian connotations."
This is probably a browser setting. I don't know if the E OS has set Russian somewhere in the defaults, but you can check by checking the settings for DDG here: https://duckduckgo.com/settings. If it says it's using the browser's default language, then check in the settings to see if Russian is set as one of your languages. I often get this just for having set a priority queue of languages on my phone.
"Additionally, the default E OS app store appears to be a mirror of another store, but is registered anonymously and has an opaque operating policy."
This is one of the features of the E people. They want a mirror of a lot of Google Play apps, which isn't supposed to happen. You have to trust them to do it correctly. Or you could avoid their store or use a different version. Lineage OS, for example, does not operate a store so you may trust it more.
[Taking some things out of order]
"If I use EOS on the Samsung S8 it seems completely obvious that I should not be doing internet banking on the device, as I cant guarantee the authenticity of the side loaded banking apps or reliability of the EOS app store."
This is now your responsibility. You have to check the authenticity of your critical apps. You can do that by downloading them directly from the original source, whether that's FDroid, the writer's site, or Google Play (you can use a few open clients for the Play store or another device). You could get a malware-laden version by searching for someone who cached an APK, but you have the option not to and it's not difficult.
"But the next concern after de-googling a handset using one of these operating systems is the true boundary security of the device. [...] People like me want to use an open source OS on their mobile phone but have nagging doubts and valid worries about security. Surely I cant be the only one worried that EOS and others are actually inherently insecure, customising aspects of android that the open source developers dont fully understand all aspects of android and the technical changes they are making to parts of the core operating system."
In this case, you are worried about something that usually goes the other way. I can't speak for all custom versions of Android, but I can about Lineage OS. In that case, they are using the open source AOSP code, which is maintained by the Android developers who already know about many details. They also release security updates daily. Compared to the average manufacturer which at best releases those updates monthly (normally much worse). They use known code which can be audited, unlike manufacturers who provide closed-source additional layers which they don't continue to update. You can and will have vulnerabilities in anything open, but you are virtually guaranteed to have more in the style of closed that most Android OEMs are using.
In your opening line, you also mentioned privacy. Nearly everything open source is not selling your information, meaning you're almost certainly guaranteed to be improving your privacy by using them. Privacy and security are among open source's strongest aspects. They will certainly not be perfect, and there are occasions where they will be bad, but I would not have the concerns that you have.
Biting the hand that feeds IT
