Should Privacy Guides require open-source, source-first or source-available as a criteria for all tools?

Because option 3 means we would have to make it a criteria if it’s possible to do so, even if there is a reason it shouldn’t be a criteria.

For example, I think there is a reason to not do Require Open Source for Password Managers - #139 by jonah despite it being possible for the category, but both option 3 and option 2 would imply that we need to add the Require Open Source for Password Managers criteria, which I disagree with.