Ax788
I am not sure what kind of attack you are trying to assess.
If you are trying to assess a 3rd app that pretends to be Obtainium, as others said it will not be able to update any app.
For new installed app could potentially succed if you interact with the prompt.
If you are trying to assess an attack to the "supply chain" (in other words, they could push a rogue Obtainium update in their official repository), I would say that apart from a notice from the dev, this kind of attack could update apps if they are signed with the same key.
If you match this security feature with the impossibility to downgrade an app, this factively means that they wouldn't be able to install any arbitrary app without your consent.
This is basically the difference between an app installed through Obtainium (from their official repo) and an app installed through an f-droid client (from the main f-droid repo only).
Btw, with the "supply chain" attack they probably could uninstall something you installed with obtainium in the past, so the damage they can do is related to service/data availability, especially if the app doesn't sync with an external source.
Also, in a "supply chain" attack they wouldn't need to install any other app, because they already could push code into Obtainium itself.
While this is technically doable, it would require a lot of effort to succed, and apart from the very low gain an attacker would have, it must involve the Obtainium team/infrastructure to be weak and/or vulnerable.
As previously said by others, very unlikely.