The issue isn’t the hardware, it’s the fact that it’s hosted somewhere private in conditions they wont name under the control of a single member. Typically colo providers are used for this.

Is it one person? Is it an organization/professional company with close ties to F-Droid? There are a lot of worst-case assumptions in this thread.

Eh. It's just a different set of trade-offs unless you start doing things super-seriously like Let's Encrypt.

With f-droid their main strength has always been replicable builds. We ideally just need to start hosting a second f-droid server somewhere else and then compare the results.