Good question! Each APK needs to be added manually and so it's vetted. With updates to the  UI we'll start making these things more clear. And next year integrating DVMs to help with these checks.

The idea is to bring many more FOSS apps that are not as releases on Github.

In reality this doesn't change much from the current practice of ingesting Github releases. Some of those could theoretically be compromised. 

 *I didn't mean the APK, but the recipe on how to fetch version and artifact, so once it's set up we automate that 

 Ah, that makes more sense