Thing is f-droid uses the same github source. So a compromised project will simply affect everyone. On the otherhand f-droid could maliciously point to a different cloned compromised repo and end user wouldn't even know. So still best to take out the middle man and know your updating to the official repo and not a different unofficial clone.
