By default, the repos only contain what the OS maintainers put there, so app updates are no different from OS updates, and both are from the same source.

Trust should never be blind. Always verify sources and understand the code.

I think apt checks signatures. You only need to be careful when adding a new repo to verify the pubkey there.