Yes, but app stores like F-Droid, if you trust them, provide an even stronger security statement: they guarantee that you can check out the full source code of the app you are running.

This is what has made Linux distributions the go to for secure OS to run on your server: even if malware or bug leaks in, you have a full security trail about when and how that happened right in the open.