IzzyOnDroid repo vs GitHub vs AuroraStore for app downloads

Snibby

Let's say there is a 3rd-party FOSS app you want to install. The apk is available

directly on GitHub where the source of the apps is
in the IzzyOnDroid F-Droid repository (not the F-Droid repo itself)
published on the Google Play Store and thus available with AuroraStore

There are now multiple possibilities how to download and update the app:

GitHub (with Obtainium)
IzzyOnDroid (with Obtainium)
IzzyOnDroid (with a modern F-Droid client like Droidify)
Google (with AuroraStore)

Does any of these options stand out in a positive or negative way concerning security AND privacy?
I assume it's always at least partially a matter of who to trust.

The IzzyOnDroid repo does some additional checks and scans (see https://apt.izzysoft.de/fdroid/index/info), which is why I have included it. Without that, it would just be one instance more that you'd have to trust, which would be worse security-wise. Please correct me if I'm wrong.

Please note, I have not included the following options in the list of possibilities:

Download on the official Google Play Store (less privacy since you need to have a Google account and Play Services installed, but more security since you don't have AuroraStore as middleman, as discussed in other topics)
Use the F-Droid F-Droid repo (security concerns, see other discussions about this topic on the forums)
Direct download on GitHub without Obtainium (no auto-updates)

N1b

Here's my limited knowledge and strategy:

Sandboxed Google Play Store is and will always be the recommended way to install an app on GOS (only exceptions are apps that are available on GOS App Store or Accrescent via GOS App Store, but these are currently only a handful of apps).
Play Store is the most secure out of the 4 solutions you present. Most privacy issues can be tackled by using a throwaway account and a user profile for actually using the apps (and the owner profile exclusively for installing and updating them).
Maybe Play Store is not possible or decided against (e.g. apps are unavailable or severely limited compared to other sources). The next best thing would then be Obtainium and a trustworthy source directly from the app developers. Appverifier will help with approving apps installed this way. From my understanding, automatic and unattended updates are possible via Obtainium (contrary to your statement).

Everything else is maybe more convenient or easy to use (I use Droid-ify and Aurora Store myself for specific use cases). But if security and privacy are your main concerns, stick to GOS, Accrescent, Play Store and Obtainium (in this order).

Please correct me if I'm wrong here. From what I have seen so far, I'd trust @fid02 and @de0u to give much better advice (and of course the devs/mods).

de0u

N1b I appreciate the vote of confidence, but I am definitely not an app-store expert! My approach -- which I realize is not for everybody -- is:

I don't have Play or Android Auto on my phone,
I use almost no apps on my phone (around five),
Most of them I build myself from source on GitHub,
I installed OsmAnd from their site because apparently building it requires more time than I have, more brainpower than I have, or both. When I need it (not very often), I run it in a dedicated user profile.

Snibby

JustBeginnez
Gboard is not a FOSS app though, so it makes sense that it's not available through other sources. But thanks for explaining the possibility of updating an owner app from inside the private space!

N1b Your 3rd case is the most interesting concerning my original question. If I understand correctly, you value the direct source (e.g. Github) more than having to trust the IzzyOnDroid project? As in, Izzy's additional scans and checks are not worth it for the trust compared to the risk of for example having a bad release artifact on Github maliciously planted by an attacker?

I hope that Accrescent will gain good traction in the future.

JustBeginnez

Think about 4

For example, Gboard is only available from the Google Play Store.

First I installed Gboard in a private space(Google Play Services is available), then I installed Gboard using the aurora store in my main profile.

I update Gboard from Google Play in my private space.