I’m aware, signing the package is not the same thing as signing the code. The application is built by the package maintainer(s) and then the resulting packages are signed.
Which is the same thing that Flatpak does. Both depend on the trust for the repo owner and the package maintainer.