What is a good appstore to use on graphene considerations?

@Ixirup
I'm intentionally avoiding a long winded argument about this and trying to keep it short to help a newbie and not to delve into long technical arguments. You're confusing and over complicating this for him with your comments. and I'm not here to argue anyway. I am well aware of those articles and their arguments. I understand the app signing and app pinning concepts. Fdroid uses their own singing key, which is no more safe or vulnerable than the developer doing it or play store doing it (So I'd argue). As I've explained in my other posts (which you're welcome to read) the arguments in these articles present theoretic problems. Equally problematic theoretic vulnerabilities exist both against playstore downloads as well as other download sources (github included). In fact downloading from the official website of the developer itself has arguments for vulnerability too, so! My argument is that the potential problems pointed out do not equate to a definite and categorical claim of "UNSAFE for general use" for the Fdroid repository.

@SpeakYourMind
Look I live in reality. I'm trying to keep things real for you. And In reality, you only have a handful of practical options when it comes to downloading apps, that's it.

PlayStore is two components. The PlayStore REPOSITORY and the PlayStore APP. Apps are downloaded from the REPOSITORY using the PlayStore APP. To download from this repository a google account is required.

Aurora Store is an APP (which takes over the job of the PlayStore APP) that allows you to download from this repository without needing to have your own google account or needing to install or use the PlayStore App. Aurora uses it's own google accounts to download "for you". Aurora can't auto update apps in the background, but if you open it you can easily update your apps. Its advantage is privacy and being free from PlayStore apps being installed on you system. Its downside is that its not as "convenient" as PlayStore app, and it doesn't "pin" the app signature when it installs a new app. The account sharing aspect of Aurora is generally not a problem at this time except in very rare cases (mostly some financial apps wanting to heavily tie to your identity). There isn't any security risk in this that we know of. But if the particular app heavily relies on the google account as the method to verify you and the app's instance, then this could become a security problem. This is generally not the case for most PlayStore apps including most of the banking apps.

Another way to download apps from the PlayStore repository is through websites such as APKmirror and APKpure. They download the apps with their own google accounts and provide a copy of that download on their website for people to download. This is a useful source in some cases (as no app or account is necessary and the full PlayStore repository is available to you) but is not ideal because updating the apps is a total pain and fully manual, which is not realistic. Aurora is a much more practical solution. Also going through an extra website to download things adds an extra layer of potential compromise. However this extra layer of vulnerability is the same whether you go through APKmirror, Aurora Store, or Fdroid. The issue of "trust" in those sources and the security of their servers becomes relevant. To avoid this potential risk its recommended to download from "direct source" like github to avoid this "theoretic" extra attack surface, which then puts trust only the developer's security and github's. Is this much safer? How much? (you decide.)

Your next option is Fdroid. Fdroid also is both a REPOSITORY and an APP. Droid-ify, NeoStore, and Aurora Droid are alternatives to the Fdroid APP and use the same REPOSITORY. Fdroid apps can be downloaded directly from its website without need of any app, however updates become a problem. Fdroid IS NOT an alternative and replacement to PlayStore. Their apps are mostly different. It is however complementary. Some apps exist on both, and some important apps are exclusive to each with no other way to get them (ex: Brave is only on PS, and OsmAnd+ -Full Free- only on Fdroid).
As mentioned before Fdroid app has poor security so use one of the alternatives. NeoStore allows automatic background updates which Droid-ify does not, however NeoStore crashed 5 times in the first hour that I used it and wasn't as polished and clean as Droidify in my use. So I uninstalled and have happily stuck to Droidify since. Have not used Aurora Droid.

Accrescent Is another app and repository, however its not ready, and since I haven't used it can't comment much more.

Your last option is direct download from source (Official website or Github/Gitlab). This often leaves you with the problem of updating. Obtanium then comes in use here to consolidate and solve the update problem of direct downloads from source. Some argue that Obtanium increases the attack surface. Theoretically true, but.. how much? Realistically your choice is between extreme pain of manually handling 20 apps. Or just use Obtanium. You decide.

Tips:

• Don't use github's search to find apps. Its terrible. Use a search engine with the "right" words in your search. To be sure you have got the right website you need to confirm it from other web sources as similar a lot of similar entries exist that you should NOT trust.
• Fdroid website shows official links to any app's official website and source code. A great way to verify and find the proper "source".
• There are other places to get APKs from, don't use them. They are dangerous.
• Read the posts I referenced for you.
• read the entire Documentation on GOS website.
• Don't fret. This is too much info. You can't know it all right now. Start with the good advice given here. Expand later.
• Watch SideOfBurritos
• Find and watch other android security helpers on youtube. You'll learn from them even if some info is incomplete or not great.
• The same app from different download sources might have different signing keys. First time you install an app the "key" gets "pinned". Then you can only update from the same source and not a different one. So decide which source you install the app from as it will affect your future updates. Fdroid has its own key. PlayStore and developer site might have same key, or might not.

User2288 it doesn't "pin" the app signature when it installs a new app.

That's not true. Signature matching is enforced by PackageManagerService of AOSP, meaning for new updates to be installed, the checksum has to be the same as was on First Install.

User2288 I would suggest instead of digging around so much, You can just use the following:

1. Google Play store
2. APK from Developer's website
3. APK Developer's F-Droid repo in a modern F-Droid client (like Neo Store)
4. APK from Developer's official github/gitlab repo's releases

For downloading old versions of apps, APKmirror can be used only after verifying checksums, to distrust APKmirror