That's true, but it's also possible for an attacker to compromise a GH account and publish a new "release", without even changing any source code. Only you have all the accounts to secure, and only one F-Droid. I use Obtainium too, but it's unclear to me how to weigh up these risks.