No need for F-droid (which is also very centralized) if you have Obtainium
but FDroid is more safe (they compile software themselves), github dev can add malicious code to the build.
If the dev is malicious, F-droid will compile the malicious code as well (F-droid doesn't review any changes to the actual code). There is no extra safety being added by F-Droid. They only check if the code is open source, that's it.
if the application has a sizeable user base, there will be users (most likely contributors) who will discover the change, they have about 1 day, but many FDroid users rarely update repositories, so more than 1 day. Malicious functionality in builds can go unnoticed for years.
Could be interesting to have an organization that would specialize in reviewing code with results integrated into a directory with nostr. Badges and additional marketing exposure could be a benefit. Members could be both producers and users and could pay for the service.
There is no need such "organization". Just trust your favorite developer. E.g. if you use Amethyst, that means you trust Victor Pamplona. And so on...