Security-wise, what are the implications of directly downloading an APK from the developer’s repository—i.e. Github—compared to the Google Play Store?
The best practice seems to verify the signature with
apksigner but in most cases I cannot find a way to compare the obtained signature with a trusted reference (except for Signal). Besides, this also means that you have to trust your PC, which is considerably less secured than a smartphone running GrapheneOS.
So, it seems to me that direct download like these are less secured than getting the app from the Google Play Store (although I would love to be less involved with Google products on my phone).
What do you think?