F-Droid isn’t inherently "insecure", but it comes with trade-offs. It builds apps from source and signs them with its own key, which breaks update compatibility with versions from GitHub or Play Store. That means you’re trusting F-Droid instead of the original developer.
It’s great for privacy. No login, no trackers, open source only, but updates can lag and some apps won’t work if they rely on the original signature.
Adding third-party repos doesn’t automatically increase risk, it just shifts trust to whoever runs that repo. So it’s less about being "Insecure", and more about understanding the trust model.