China Government can create the poisoned Trojan Horse LLMs, and then simply feed it to the USA, because people in the USA have a false sense of security about Open Weights LLMs they self-host.

People think if you self-host stuff you're totally safe, but the weights can be pre-poisoned.

AFAIK the threat vector I'm identifying has never been exploited, and I've never even heard anyone else describe or mention it.

When they mention open weight models (llama, deepseek) they mean running them on their infra, not through 3rd party apis, right?

Open Weights LLM Models can be run by anyone. They're just a downloadable data file.

So, yes there are companies (in both China and USA) that do host them for you as well. For example I think Perplexity does host DeepSeek R1, so people who don't have their own hardware can still make use of it.