It's a valid concern I don't have a solition for. In theory you could be man-in-the-middle attacked without noticing or the apk provided to the Google back end could be malicous. I only download apps I "know" and use anonymous Aurora Store Sessions - I'm not aware that Aurora Store ever pointed someone somewhere else than to the Google back end. 

FAQ can be found here:
https://aurora-oss.vercel.app/faq/#aurora-services