Who do you trust more, to secure their infrastructure? Google or F-Droid / a bunch of volunteers who may or may not be very security-conscious?
Not to downplay the effort that F-Droid contributors (or any Android FOSS groups) make, but it's a very legitimate concern.
Would an attacker have an easier time infiltrating Google or a member of F-Droid the development community?
Are users of F-Droid higher value than users of Google Play, to warrant a direct attack? If one wants to pick off users who are fairly technically inclined, other developers, system administrators, etc...F-Droid is a pretty good place to start.
Regardless of the fact that builds are reproducible, F-Droid has infrastructure. How is that infra secured? How are the servers that store signing keys secured? How are the build servers accessed? How is the access secured?
Okay, so the builds are reproducible -- is someone maintaining a concurrent system that verifies reproducibility and provides notification of a collision when things don't match up with built and served binaries?
Not to downplay the effort that F-Droid contributors (or any Android FOSS groups) make, but it's a very legitimate concern.
Would an attacker have an easier time infiltrating Google or a member of F-Droid the development community?
Are users of F-Droid higher value than users of Google Play, to warrant a direct attack? If one wants to pick off users who are fairly technically inclined, other developers, system administrators, etc...F-Droid is a pretty good place to start.