Ya, when I looked at F-droid it wasn't clear who was even packaging the thing (who dis?) So I decided to just trust GitHub actions.. it's not like amethyst runs as root or anything..
Discussion
The package on fdroid is the same as the one on GH
https://codeberg.org/IzzyOnDroid/repo#what-is-the-izzyondroid-repo
Right, that's what I'm not understanding.. they just get it from GitHub, so the only thing protecting you is.. waiting longer. Https -> GitHub release download is the only security check being done for either method.