Awesome app. It is somehow not listed on android-foss list so maybe someone didn’t know about it.
Obtainium allows you to install and update Open-Source Apps directly from their releases pages, and receive notifications when new releases are made available.
GitHub page: Link.
This is a good question and a valid concern. However, I wonder if the app really makes in worse then it’s already is. GitHub has no way to share checksums with the builds. The only way to do that is to upload a checksum file alongside the binary. But if an attacker is able to upload/replace a malicious binary, they would be able to replace its checksum file as well. So you wouldn’t be able to recognize this anyway, even when downloading it GitHub, would you?