Web of trust in this context is a "follows who follow". It's a quick way of determining if people you know follow the signer.

Zapstore is just another signer. If you don't trust our indexer pulling metadata from Github, you don't install anything from Zapstore.

All apps from Github APKs are downloaded from there when you install an app, and checked against the hashes that were indexed previously.