When you add a random repo, that repo can list any number of apps with any number of properties. For instance, you could've added the Guardian Project repo and later search for "Firefox" (an app that one would expect to find on something like F-Droid). Firefox isn't on F-Droid, but the Guardian Project can add it any time they want, add in whatever viruses or trackers they want, and serve it up without you ever knowing you downloaded it from an unofficial source. You'd have to spot the source name listed above the install button, but that name comes from the source itself and there's little preventing someone from calling their repo "default app source" or something similarly benign.

Nothing gets auto downloaded, but all of the sudden you need to be very wary of what apps you download from what repos, and that kind of threat fatigue will lead to infections for even the most diligent users.

That's not to say I think the concept of adding repos is bad, the unfortunate truth is just that adding repos comes with a bunch of implications that many users are likely to be unprepared for. It downgrades F-Droid from "a project with centralized management that tries its best to remove malicious apps" to "downloading APK files from random websites (now with auto update)".