gjwkgjgk63162 (on mobile so for typos) Having recently posted about this and gone down the research rabbit hole myself l I'll say that the the risks/benefits will vary from app to app and much of it will depend on your needs, your desire for convenience, and your general preferences.
Aurora is a good option for anonymity to get apps from play store, but they may or may not work properly without sandboxes Google play installed (very app dependent. There seems to be light discussion some possible risks associated with Aurora store from a security standpoint, but the opinions on this differ and I have not seen a strongly supported argument indicating safety concerns (but I'm not an expert, so your research may turn up different results).
Apks have the benefit of being direct from the developer so if you trust the developer, than getting apps from their official site or github is fine. There are a few caveats to this though:
1) Most side loaded apks will not update themselves (signal is a notable exception), so you need to find a good way of tracking updates. Their are various RSS readers you can download and set to monitor the github or apks pages you want to monitor. There is also a pre-release app called Obtainium which functions like an RSS reader, but has built on functionality to manually or automatically trigger updates and downloads. I'm still trying to figure out which RSS method I want to use myself, with respect to verifying various options' safety (these are also side loaded apks).
2) Apks not from the play store are just files you download from a website. This opens up many avenues to adulteration of the apk, such as a website being compromised and a legitimate apk being replaced with a malicious one or people making look-a-like sites/pages/sources to trick you into downloading a malicious fake. This threat can be minimized by verifying signing keys. However, I have not found a simple way of doing this on the device so I have been checking packages on my Linux machine. There is also not an individual way devs do this. Many use apksigner in which case you have to download the same app package from different sources and then compare the signatures; or some may use gpg keys in which case it is a little more straight forward. I don't know if everyone checks these, but it's a good practice IMO. AFAIK you only need to do this once, as there are built in safeties to catch apks with different keys from installing (someone correct me here of I'm wrong).
So it depends. I like using Foss stuff and researching/verifying apks doesn't bother me too much, but it is certainly not the most convenient way to do things. And someone feel free to correct me on any of these points. I am by no means a security expert.