It could just be a colo, there are still plenty of data centres around the globe that will sell you a space in a shared rack with a certain power density per U of space. The list of people who can access that shared locked rack is likely a known quantity with most such organisations and I know in the past we had some details of the people who were responsible for it

In some respects, having your entire reputation on the line matters just as much. And sure, someone might have a server cage in their residence, or maybe they run their own small business and it's there. But the vagueness is troubling, I agree.

A picture of the "living conditions" for the server would go a long way.

Depends on the thread model, which one is worse.

State actor? Gets into data centre, or has to break into a privately owned apartment.

Criminal/3rd party state intelligence service? Could get into both, at a risk or with blackmail, threats, or violence.

Dumb accidents? Well, all buildings can burn or have an power outage.

I think there are countless examples of worse failures by organisations that meet your criteria for far more valuable assets than some free apps.

The 'cloud' has come full circle

Eh...

The set of people who can maliciously modify it is the people who run f-droid, instead of the cloud provider and the people who run f-droid.

It'd be nice if we didn't have to trust the people who run f-droid, but given we do I see an argument that it's better for them to run the hardware so we only have to trust them and not someone else as well.