I assume all code changes have the same unquantifiable level of uncertainty. Assessing risk implies a false certainty. It’s reasonable to ask “what evidence do you have this change is safe” rather than “how risky is this PR”?
“We don’t have hundreds of measurements from forecasts of well-defined events. We have a slide of a handful of independent, complex risks, none of which have ever happened before. So we can’t know whether our probabilities were correct”
https://longform.asmartbear.com/unmeasurable-metrics/