"Trustworthy" requires a qualifier of "for what" and I do trust Google to not intentionally install malware on my device and to take reasonable steps to prevent other people from doing it. I will admit that I don't know the details of how the app stores work, but they are at least checking the hashes of the binaries right? The probability of trying to install Instagram from Meta, but actually installing Instapwned from some malicious third party is zero when you go through the app store, right?
I assume that's correct, for your very narrow definition of malware and a nonzero definition of zero, and it's a good point that trustworthiness is context-dependent. As Alan Karp used to say, "I trust my relatives with my kids but not my money. I trust my bank with my money but not my kids."
Yes, but app stores like F-Droid, if you trust them, provide an even stronger security statement: they guarantee that you can check out the full source code of the app you are running.
This is what has made Linux distributions the go to for secure OS to run on your server: even if malware or bug leaks in, you have a full security trail about when and how that happened right in the open.
Wrong, plenty crap make it into the store, that is true for both Android and iOS. And the advertisement in the Android store is designed specifically to try to trick you into installing a different but similar app to the one you wanted.