- The apps come from Google, Aurorastore just allows proxied downloads and manual selection (device faking, older versions,...), also not this stupid login thing and unnessecary permissions and tracking, like what sandboxed Play should be imho
- Firefox may include it themselves, at least Fennec, Mull, Tor for Android have it as stubs (inactive but still detected)
- Reddit answer Tor Blog
Downloading APKs externally vs. from a repo
downloading apks is dangerous. HTTPS helps certifying the origin, because "I am the owner, this is my app" are all things that have to be proven using the methods of asymmetric encryption (private keys, signing). F-Droid compiles the apps from source, so it is what they claim to publish. If you download precompiled .apks the devs could actually change it, you could still compile the source code yourself and compare the hashsums, but nobody does that. If devs then add .sha56sum´s or .asc PGP signatures (you need their PGP key first), this is only to prove that the .apk comes from them, not that the .apk is what they claim in the sourcecode it is. So you see, downloading from external sources is COMPLEX and F-Droid makes all that very easy. Its the principle of a trusted Linux repository.
Apps not on F-Ddoid
If an app is not on F-Droid, in most cases its not open source and you cant trust it. Use it with internet permission off, maybe also battery restricted and storage scopes to only what they need. If you have no play services installed, thats it, the app will mostly not be able to collect your data, only if you have an app with internet permissions that this app is talking to. So also use the Work profile (shelter, island) or even another user profile, to isolate it even further.
Mull vs Chromium
Mull is hardened Firefox. It is still the only mobile browser that allows addons and it is pre-hardened. It has no good Tab isolation and less security features than Firefox desktop or Chromium, thats why you can use Vanadium / Brave mobile if you want security, I prefer Mull for privacy and features.
I mean, you cant use Ublock or Noscript (I would be fine with only those two, although more are nice), custom search enginges like searx.neocities.org etc. Vanadium is pretty vanilla on the UI, which makes it not ideal for privacy.
Addons are hard, as the permissions are not very well visible on Firefox mobile. Use as little addons as possible, trusted ones like Noscript, Ublock, not many more. Many things like video downloading or printing can be done on Firefox desktop natively, but there are useless addons just redirecting you to a webservice. Look out for that. also Firefox mobile supports less features like printing or video downloading, so you need these webservices if your really need that feature. You can disable addons if you dont currently use them.
An addon I was curious about: "Translate webpages", actually is offline until you choose to translate a text. Even language recognition is done offline, the dev sais. It is open source. I still keep it deactivated most of the time.
Addons that dont interfere with the outside look of your browser cant be detected by websites, and used for fingerprinting. No website will see, if you have "add custom search engine" installed on desktop. They will see, if you use privacybadger, ublock and noscript together though, because of these changes
This is an interesting read, a guy hardening Brave talking about fingerprinting
Everyone is new at some level. I have no idea of complex coding like in GrapheneOS, I only somehow understand what to use and what not. Everything has pros and cons.
(also always make bookmarks of everything, so you dont rely on search engines and will not click on fake sites, except if these sites have expired TLS certs or, cough z-lib got raided by the Feds)