There is a difference in your Linux desktop workstation and your most private device. Desktop systems are not nearly as secure and should not be seen as such, and Linux surely at the tail end.
People using F-Droid might not be aware that they are trusting a third party as they think it is a trusted distribution channel, relying on the information stated on the client app or website.
The Android security model strictly forbids it. This should be enough of a problem as it is the very foundation to establish security for the system's user.
neither of the two are great. MicroG stands in conflict with Android's security model by spoofing Google app signatures and being a deeply privileged app compromising the whole system's security.
CalyX has is constantly harassing and bullying other privacy-focused projects, causing incredible harm to the privacy and security community. It also has been missing updates for 4 months recently, making it a terrible choice for anyone.
Although I'd like to applaud any alternative to Google Play the approach F-Droid pursues does not fit a serious security model. F-Droid builds are custom signed and can be made by random parties without proper auditing after initial review.
Also, it is stuck on old APIs and won't allow the use of Android's new unattended update feature (UPDATE_PACKAGES_WITHOUT_USER_ACTION) and requires intrusive privileged system access to do that.
A more serious flaw opposing the Android security model is the fact that an app store is supposed to feed from a single repository which F-Droid does not adhere to.
Also, often these repos are poorly maintained, rarely updated and often conflict with Play Store packages because they use identical app ids.
All they care about is to be free from "evil proprietary components" which comes at a great cost of security and inescapably privacy.
It's just not a good choice for these and additional reasons such as building a ton of their apps unattendedly on a potentially malicious server.
People using F-Droid might not be aware that they are trusting a third party as they think it is a trusted distribution channel, relying on the information stated on the client app or website.