If the dev is malicious, F-droid will compile the malicious code as well (F-droid doesn't review any changes to the actual code). There is no extra safety being added by F-Droid. They only check if the code is open source, that's it.