Thing is f-droid uses the same github source. So a compromised project will simply affect everyone. On the otherhand f-droid could maliciously point to a different cloned compromised repo and end user wouldn't even know. So still best to take out the middle man and know your updating to the official repo and not a different unofficial clone.
Discussion
That's true, but it's also possible for an attacker to compromise a GH account and publish a new "release", without even changing any source code. Only you have all the accounts to secure, and only one F-Droid.
I use Obtainium too, but it's unclear to me how to weigh up these risks.
Very true, got to stay vigilant than I guess.