> new unvetted variant X; basically unknown auth system

Valid concerns. In the case of Ente Auth though, it is used by folks working at CERN [0], who also sponsored a recent security audit: https://ente.com/blog/cern-audit/

[0] https://cern.service-now.com/service-portal?id=kb_article&n=... / https://auth.docs.cern.ch/trouble-shooting/2fa-tips/