Well that's an attack vector for sure, GitHub is currently owned by Microsoft. But iirc there is a GitHub nostr project to hopefully remove that attack vector.

But you are absolutely right.

And all that would do is stop new people from getting the APK, it wouldn't retroactively remove it from your device, afaik.

It wouldnt have an effect on those who already downloaded the APK.