how is buying drugs reducing their suffering?

all of this is true with literally any company.

F-Droid not being trusted. They build and sign a developer’s code on their behalf, so there is a chance for injection there.

There are reproducible builds, but I would argue it’s not taken seriously enough. Like right now nobody is publicly verifying Signal’s supposed reproducible Android builds and they’ve historically had problems keeping it working.

Also how most (or all?) Play Store apps (including FOSS) contain proprietary code.