I took a brief look at the source but I wasn’t able to find it yet.
But the Comment on github seems to be right. What I did was, I shared a document on my cloud and opened the shared document in private browser which will make the welcome screen appear.
And sure enough, in the network console of the browser debug mode there are connections to rating.collaboraonline.com:
//edit: It even gets worse. Since its loading the entire welcome.html and other js files, this would be a possibility to inject malware on all CODE instances if the collabora host gets compromised. This is a big no-no.