Thank you so much everyone for their input. Already watched the video, got obtainium and established an overview.
Since I am not installing Google Play on my main profile, I am looking for another way of having a secure way of installing files, yet still profit from automated updates. Reading through all the documentations, it's all about tradeoffs and threat model, which makes it hard to assess as a beginner (e.g. Google Play Store Security vs Privacy).
Would it be unreasonable to proceed as follows (ranked):
- Install from Playstore whenever Google Play Services has to activated on a profile as it's needed anyway, e.g. banking apps profiting from highest security --> a drawback on privacy is okay here)
- Initial install directly from GitHub or Provider Website (trusted source) in combination with Obtainium (automated updates) and AppVerifier --> here i'd have increased privacy as no Google Play Service with security managed with trusted source/obtainium/appverifier.
- Only use f-droid (apparently new versions are available relatively late) and Aurora as a third priority -> (here i'd have automated updates but lower security (over Google Play) but better privacy (over Google Play)