Proving a negative is absolutely basic when it comes to software. Security audits are commonplace, both internal and external. There were already vulnerabilities in PSP that have been found and confirmed, it's not some godlike code that's perfect.
Of course despite the audit there may still be vulnerabilities, but open-sourcing the code and having an independent body review it goes as far as possible to minimize the risk.
With PSP being both closed source and enforced, Intel is currently a safer platform (only as far as environment subsystems go of course, due to many of the speculative execution vulnerabilities not being patched yet), because ME can be castrated with ME_cleaner and so far we do not have a corresponding tool for PSP.
There is an option to disable PSP on some motherboards, but it has not been implemented by all vendors and there is no way to independently verify where this option does anything beyond placebo.