F-droid should be avoided when you can get an apk release directly from the developer or the Google Play Store. Obtanium is great for managing this.

https://github.com/ImranR98/Obtainium https://privsec.dev/posts/android/f-droid-security-issues/

not sure why you are saying this. if it's about security, it depends on your threat model

Your "threat model" requiring the option shown to be least safe doesn't make its vulnerabilities less so. To develop a "threat model" one must first ascertain the system's intrinsic risk before leveraging one's specific needs. If the outcome is the least secure option, then only your risk increases, the security of each option remains unchanged.

I don't think there is an "intrinsic risk" in anything. I personally trust F-Droid more than Obtainium and even more than most original developers themselves, because

1) F-droid has been around for a long time and it's proven to be well governed.

2) F-droid tells me if the software is still maintained, if it's a fork of another project, if the opensource software is using non open service as a backend, etc..