Well if you wanted to compromise F-Droid you could target their build server's ME or a cloud vm's hypervisor.

To do a supply-chain attack on Google's SDK would be much more expensive and less likely to succeed. Google isn't going to be the attacker.

The recent attack on AMI/Gigabyte's ME shows how a zero-day can bootkit a UEFI server quite easily.

There are newer Coreboot boards than Opteron, though. Some embedded-oriented BIOS'es let you fuse out the ME. You are warned this is permanent and irreversible.

F-Droid likely has upgrade options even in the all-open scenario.