Who compiled these binaries?
How many eyes were on the compilation process?
Last I checked “more than 90% of the packages in the Debian repository have been shown to be able to build reproducibly.” (source [Wikipedia]).
More Info: https://wiki.debian.org/ReproducibleBuilds
I would assume the same is for PureOS.
Although, showing signs of reproducibility does not mean they are reproducible.
How likely is it there is malware on these binaries?
Linux in general, has a very low rate of malware.
Plus, PureOS has a very good bug reporting program and only installs free software applications by default. If any spyware was found and made public it would be stated everywhere.
As for applications installed after the vanilla installation, most have been audited to some degree.
Everything listed in the official PureOS repository is free software (to my knowledge).