flighty_sloth Would somebody most likely have to be on the same local network to do this attack or how would it work?
Pretty much nothing provides a guarantee, so "I'm on my home network" is not a guarantee. Many attacks are easier to carry out closer to a target, so there is a general trend, but it's not a great sort of thing to rely on.
I'm not an expert on this sort of attack, nor do I think this forum is a good place for detailed discussions of how to attack people. But here is a general WIkipedia article on the family of attacks: DNS spoofing.
The reason why people have invested substantial time and effort in certificate pinning and/or certificate transparency (not to mention DNSSEC) is because those techniques are widely perceived to add substantial value against attacks that are not merely theoretical but have been successfully deployed against real people.
On a day-to-day basis, any one of us may not be attacked at all. But best practices are best practices because they add value. If somebody issues a caution about an arguable weakness in F-Droid or Aurora Store, etc., that doesn't mean those weaknesses are resulting in successful attacks right now (or that your device has already been compromised). But it's more helpful to be cautious before one is attacked, or before an attack is so successful that it's front-page news, than after.