Cryptographic trust is a different thing than actual trust. The latter is what makes the world work, the former is a tool people occasionally confuse for the real thing, but actually is mostly opposite to it.

Look we are talking about computers here. Computers don't understand or exercise actual trust as you describe it. Actual trust doesn't make computers work at all, because it doesn't exist in their world. So you need a proxy for it.

The security vetting, the authentication, the scans that are done, whether by Google Play or by F-Droid, are a process that tries to eliminate egregious abuses and basically curate the collection so that the users have something to actually trust. Now you understand that actual trust comes in degrees, right? I don't trust everything on Play equally. There are plenty of different types of trust relationships between me and the Play Store and the devs who put their apps on it.

But cryptographically, cybersecurity-wise, we need that CIA triad, and we need to authenticate that developers are who they say they are. And that authentication is the crux of cryptographic code signing. That we can trust that updates came from the source, and not a 3rd party injection or supply-chain attack. If Google or F-Droid countersigns it, then it's been through their vetting process as well. That's how cryptographic signing establishes trust relationships for computers.

If your computer doesn't trust an app or a driver, it won't download, install or run it. Since you cannot teach a computer "actual trust" there must be an analogue to this. And it's working fine. I don't know what you're on about "opposite to actual trust". If you don't trust Google Play, that's a you problem.