Every curated list is a middleman.

The alternative is expecting average users to trust or audir possibly 100 different devs from each different used app, any of who can publish a malicious update.

Every solution has tradeoffs, there isn't a 1 size fits all.