Because adding a repo via some random online URL is the exact same reason why downloading random Windows executables creates tons of opportunities for malware to infect computers.
The whole point of software stores is giving users the ability to trust the motives of the software they install, because the store and / or its users would never condone hostile software being hosted there.
Once you start having everyone run their own F-Droid repos, you are having independent developers give you their own trust keys, but you have no one else who needed to verify those developers were legitimate.
F-Droid itself is not particularly secure, given anyone can upload anything there, but in the same way the Archlinux AUR, OpenSUSE Build Service, Ubuntu Launchpad, etc work those third party software repositories are at least hosted by a trusted maintainer of the store / repo itself. If anyone ever uploaded malware there, once found out, it would be taken down and the responsible users banned.
With distributed app stores under F-Droid, or the equivalent third party repos for Arch / Suse / Ubuntu, the host has absolutely no control over the behavior of third parties, and thus anyone can host all the hostile malware they want, and if users add those repos they give them absolute trust in doing so.
That isn't a valid security model by any estimation.
You trust Facebook when you log into Facebook.com. Facebook.com/fdroid would be the hypothetical trusted endpoint for Facebook apps. You should not have one gatekeeper that ensures everything is safe. They can sensor content, fail to catch something or prioritize some apps over others. Having a default repo where there are restrictions, rules and vigilance makes sense, but you should be able to opt into another circle of trust AND get notified of updates, changes, version numbers etc. If you can't trust a company enough to run their binary, then don't add their repo.
The alternative is download static apks today and maintain updates yourself(bad) or remove the freedom to install what you want on your device.
For the vast majority of software I imagine most users do not have a relationship with the vendor going in. Independent repos naturally can (and do) work for large software. For example, the Mega client for Linux is provided as its own self-hosted repo by Mega Ltd, where they provide repositories for most distros.
But for, say, an app for a restaurant or a document reader, you would not know or have any reason to trust the vendor, so if they are self-hosting their own repos you are taking a tremendous risk trusting them.
The end result would probably remain the same - users might use third party repos for huge popular apps, but small apps would still need to stay centralized because there is no way to introduce a viable trust model against an organization you never interacted with before.
I think people trust too much generally. That's not going to change with any paradigm put forth. However if you're running binaries from vendors you don't trust, you're playing with fire even in a regulated app store.
Most people don't change their default browser, adding third party repos would be similar. Removing the ability for the owner of a device to install software they want fixes one symptom, not the main issue of trust. Also it makes your device into a glorified feature phone. No thanks.
The whole point of software stores is giving users the ability to trust the motives of the software they install, because the store and / or its users would never condone hostile software being hosted there.
Once you start having everyone run their own F-Droid repos, you are having independent developers give you their own trust keys, but you have no one else who needed to verify those developers were legitimate.
F-Droid itself is not particularly secure, given anyone can upload anything there, but in the same way the Archlinux AUR, OpenSUSE Build Service, Ubuntu Launchpad, etc work those third party software repositories are at least hosted by a trusted maintainer of the store / repo itself. If anyone ever uploaded malware there, once found out, it would be taken down and the responsible users banned.
With distributed app stores under F-Droid, or the equivalent third party repos for Arch / Suse / Ubuntu, the host has absolutely no control over the behavior of third parties, and thus anyone can host all the hostile malware they want, and if users add those repos they give them absolute trust in doing so.
That isn't a valid security model by any estimation.