I would much rather have a repository system like F-Droid (or you could compare it to Debian/AUR/openSUSE) where the publisher has to create a repository that respects some kind of standard so that they can distribute their software.
NewPipe does this for F-Droid in order to deploy the updates faster. Otherwise, F-Droid needs to very, compile and deploy themselves and it usually takes a few days.
F-Droid repositories are equivalent to alternative app stores, including all of the associated malware risks they bear, just with a nicer UI and lower barrier-to-entry than building your own app store.
F-Droid's rules exist specifically to ensure that an app's source code corresponds with it's binaries. This reduces the risk of using F-Droid because all source code is available and auditable. There is no guarantee that said source code has been audited, and FOSS malware does exist[0], but it makes it harder to hide such code.
I would personally prefer if Google Play had similar requirements, but the entire industry would be up in arms if Google started mandating source code escrow.
[0] Notably, the ironically-named `peacenotwar` package on npm, which is a cyberwarfare tool that attempts to wipe files on Russian and Belarusian machines.
NewPipe does this for F-Droid in order to deploy the updates faster. Otherwise, F-Droid needs to very, compile and deploy themselves and it usually takes a few days.