I didn’t say it was more secure, I said it’s about the same.
The difference is a person being forced to go to a website to download software means more steps and more time to consider the safety of what they’re doing. It’s part psychological.
Not all such packages are retrieved from GitHub, I remember downloading numerous .deb files direct over the past 25 years (even as recent as downloading Discord manually some years back).
The main point I’m making is that you should legally protect yourself, it’s a low and reasonable effort.
I already answered that first question.
And then all those app store fronts that say whether a flatpak is verified or not is inducing fear and/or guilt and is therefore bad UX. It’s not, but you are free to have your opinion.
Have fun then, I’m done wasting my time here.