I would add to always check for portability. The service should provide a way to export/move your data without much hassle, and in a reasonable format that you can reuse your data elsewhere. If you are bound to an exclusive format or service, it has more chances to get enshityfied.

Technically the only way you can vet, is by having root access to their servers and law officer level access to their documents.

Failing that, I can think of four baseline conditions to venture that a given product “shouldn’t” enshittify, or that at least the utility of the project is recoverable (or forkable) if it does:

Req 0: Copiability. The software actually provides a full offline (or local) service. There’s no way (that I know of!) to enshittify something that can live fully independently from its “mothership”.

Req 1: “Letter and Spirit”. License has to be Free Software (not just “Open Source”) with all the liberties that come with it. (I assume in the future, an exception might be made to allow for New Ethical licenses that would be not FOSS as per the current definition)

Req 2: Reproducibility. Someone else has to have verified that using the source release builds the whole product (at most excepting “assets” like logos). This is usually verified empirically by someone getting to run and maintain a competing instance.

Req 3: No bite hand. The provider must have not used legal measures to exercise violence or restrictions against users of the product (be those consumers or devs). This includes eg.: using the DMCA to punish reviews, or punish implementation of req 2.

If a combination of provider and product completes those four requirements, I feel relatively well assured that the product can’t reasonably enshittify, or at least that if it were to happen, there will be enough advance notice and devel momentum that the value of the product can be recovered from it.

Anytime there is a open source “community edition” and a closed-source “enterprise edition” it’s pretty suspect. There will always be a temptation to make the community edition a bit crippled, to drive sales of the paid version.

Make sure they have an open source version, and if they fuck around, find a fork.

There’s no 100% indicator, but presence/non-presence of a contributor license agreement that gives them the rights to distribute under any license is the best one I’ve found. Corporate backed FOSS where they want the option to turn into non-FOSS “just in case” means that will inevitably happen after people are locked in. Best place to look for one is the project’s documentation on how to contribute/how to send pull requests.

Stuff licensed under BSD/MIT style permissive licenses don’t need a CLA to go proprietary, but the ones that do tend to have a CLA anyway.

“CLAs” that are just an sign-off (developer certificate of origin like used by the kernel) are fine and are also treated as a CLA every so often, but the moment you see anything about giving one specific company a “perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license” or the like, run for the hills.