Draiodoir
So, let's break some concepts before answering your question.
When you install an app on Android, you are responsible to check what you are installing.
The smartphone will never do something on your behalf without consent.
You have some features helping you.
The first is, no app in GOS can install other apps by defaults, with the exception of Files (and possibly Graphene Store? Android 16 changed some things).
The other one is certificate pinning, which is not something you will do manually, it's handled by the OS for you.
This means that after the first installation, all the updates must have the same signature to be installed.
As @Johnnyloans explained, if you go to the developer official website you are sure you are installing the original intended apk, especially if you have an md5 you can check it against.
Let's say tou installed Tuta Mail from tuta.com.
From now on you have to browse the site every day to check if they released a newer version of the app, download it and update it.
This is very time consuming, especially if you have more than one app installed using this method.
The very same applies if you install apps from github (gitlab, etc.).
For this reason they created apps like APKUpdater and Obrainium, to automate this process.
You set obtainium with the page you want to "monitor" and it will fetch updates for you.
The update process will be succesful as long as the app signature doesn't change.
To reply to your questions:
Draiodoir What's the purpose of using the app stores and repositories we've been talking about instead of using the apps straight from the companies whose product we use?
Automation is the biggest advantage: if you installed 10 apps, you don't have to manually visit 10 websites everyday.
Draiodoir If I do download apps directly from sites should I be checking they're being updated?
If the app doesn't have a built in update system, yes, you need to check their website manually (unless you migrate to Obtainium and the like that will do it for you).
Draiodoir instead of searching for an app on Github/Gitlab via Obtainium, go directly to Github (the source) and install the app manually from there first and then add it to Obtainium
In my understanding, this doesn't add any layer of security.
You can copy the github link, add it to Obtainium and just install the app through obtainium.
This will also ensure that Obtainium will have the right to update the app.
If this was what you were referring to, my bad, I didn't understand.
Draiodoir so if something malicious was happening with Obtainium it wouldn't be able to install a malicious update
Take into account that your "defense line" is the certificate pinning. This means that if the attack falls under the Supply Chain Attacks, you probably will install malware.
This is not avoidable by the store app and it is the main reason people in here might discourage the use of the official f-droid repository.
Onlyfun Really tried obtanium - too hard = unreliable.
While I would agree that a program/feature too hard to use might be unuseful for a specific person, I would say that this doesn't make it unreliable.
Everyone can choose their tools (based also on mere subjective opinions), but this shouldn't set a rule for others.