>the apps you install from F-Droid are signed by F-Droid rather than the developer.

That doesn't seem like a con if you take into account the context: F-droid is not shipping pre-build binaries from the developper, it asks for a buildable project from the developper.

If the source repo of the upstream dev are compromised, so will be hid own binaries anyway.