By default, the repos only contain what the OS maintainers put there, so app updates are no different from OS updates, and both are from the same source.

Trust should never be blind. Always verify sources and understand the code.

I mean most of it is opensource…. You verify the checksum in your terminal and you verify the code if you know how

I think apt checks signatures. You only need to be careful when adding a new repo to verify the pubkey there.