You're trusting the release key the first time you install an apk.
If a malicious app is published to GH releases, users who try to update are protected due to signature mismatch but first time installers would get rekt.