This will inevitably be used as ammunition against sideloading, but it’s really a lesson in supply chain trust.

When we move away from walled gardens (which I support), the burden of verifying the "chain of custody" shifts to the user. Installing an APK that auto-updates with root/system privileges is essentially giving a single developer the keys to your living room.

We need better intermediate trust models—like reproducible builds signed by a quorum of maintainers—rather than just "trust this GitHub release."