Should Privacy Guides require open-source, source-first or source-available as a criteria for all tools?

Correct, but I think these are more fine grained details that vary case by case depending on the product.