At least with Firefox, since anyone can see the source code, it would be very hard for Mozilla to keep their malware hidden from the public. If you simply reject all of the non-free (free as in freedom) portions of the source code, that will probably be enough to keep big brother from having any backdoors in Firefox. GNU IceCat is a modified version of Firefox, and I doubt it has any such backdoors. Of course, that alone doesn't protect you from upstream surveillance, but at least it's better than nothing.
Also, if there's malicious code in Firefox, editing your hosts file probably won't do much to help, especially if Firefox is communicating with a government IP address, as opposed to a government domain.