Android checks the dev signature when updating. That's why you can't install from the PlayStore and update it with Obtainium. You always have to uninstall first to change the signature profile. 

But first time installs are still not checked. But that is the same for the usual Play Store. And if the dev decides to go rogue and add some malicious code, neither Google, nor F-droid, nor Obtainium will find it before releasing it.