I've been on Debian 11 for a few years and I'm installing 13 on another disk (dual booting until it's ready for my job.)
I did not use the Firefox coming with 11 and I won't use the ESR version in 13. I downloaded the deb from Mozilla's site once and it autoupdated itself up to the current version. No problem at all. I'll do the same on 13.
Mozilla have an apt source you can add. No manual dpkg required.
Doesn’t that give Mozilla the ability to replace any package on one’s computer?
I trust Debian, and I trust the Debian Firefox team to secure Firefox, but I do not trust Mozilla.
That's what apt pinning is for: https://wiki.debian.org/AptConfiguration
You can tell apt to prefer a given source list only for a few packages.
FYI to the parent poster, if you don’t trust Mozilla installing from a deb vs apt won’t make a huge difference. Firefox automatically updates and could decide arbitrarily to reconfigure your apt repos for you, or pull down and install additional debs.
It’s a fair move to minimise the risk, so I’ll be pinning on my system if it’s not already, but it won’t make a whole world of difference if the remote actor starts misbehaving. The other alternative is to disable automatic updates entirely and hope the version you’re pinned to is okay, but vulnerabilities in browsers are common, that’s basically what LTS is for anyway.