Why should I trust closed-sourced apps like XOR Drive, form.id, etc if they’re closed source? What can assure to me that they’re not using they’re private code to upload my data to some other cloud drive besides Gaia?

In my opinion, even open source, there’s no guarantee that it’s exactly the same version between the one on Github and the one on their servers.

Could network request inspection/monitor help check that? And as JS files are downloaded and executed on our browser, maybe we can inspect them too.

Is that a way to identify closed-sourced apps that they use gaiahub as storage or not?

You can only trust the apps if you can deploy it yourself e.g. from git like OI Calendar. You can also use an (still to be developed) browser that verifies outgoing internet connections.
Also the loaded code should be verified through a hash that is associated to a blockstack Id of the app.

This is a key factor for true “decentralization”

publish your app with a hash, have third party auditors audit the release with said hash, when using the app, hash it client side and make sure it lines up, badda bing, badda boom.

Also this was a fun discussion that relates to this topic (and with self-deployment).

It would be great if Blockstack had a “deploy it” yourself branding, similar how Heroku or Netlify brands their self-deployments: