It isn't hard to look in source code for connections made by the client (should be none outside of the chosen relays). But it is not practical to personally audit the source of every app you use

Obtainium removes some intermediaries like play store as you get a build of what is on GitHub.

F-droid does its own builds and has stricter policies and does some auditing. Aurora store does some privacy auditing of binaries. You have to trust them though

No easy answers