This F-Droid-like model (also popularly implemented by Linux distributions) is usually considered an improvement in security.
The thing with FOSS is that ideally you don’t have to trust the developer at all.
In theory, you could read the entire source code and compile it yourself. Then you’d know for sure that no malware is included.
Obviously, in practice, you can only hope that some nerds dig into the source code and notify journalists of malware-like behaviour.
It is no perfect protection. But it is the only tangible protection that FOSS actually delivers.
What does not protect you, is to trust each individual developer. They could publish innocous source code and then build the release binaries from a version with the malware-like behaviour patched in.
But because you likely don’t want to compile each app yourself, you might still feel compelled to entrust that work to a third party. This is where the F-Droid team comes in. Rather than trusting each developer, you just have to trust a single team.
Well, and if an app is built in a reproducible build, then even the work from the F-Droid team can be verified.