only download Open Source apps that have some popularity. these developers post the code publicly (usually GitHub) for anyone to review.

you don't necessarily have to review the code yourself, although it is pretty easy to copy & paste into chatGPT or similar.

with popular apps, you can be fairly certain someone else has reviewed the code and the developer is not committing project suicide by putting a line of malicious code in their app for anyone to see.