I think it is a good save, for the time being. Just maintain what works, and if people are unhappy with this, they can always try another.
vintprox
Otherwise depend on what is called a "non-puppeting bridge", self-hosted bot that reposts messages on behalf of itself. Problem is, reactions and other multi-agent interactions won't be a subject for bridging. If you absolutely need those, you have to host a Matrix server (like optimized, but unstable, Conduit or the hungry Synapse) or partner up with another server owner to activate your appservice...
Wherever the app's code is on. I usually go around finding the link in the store page or through the search engine. Most of the time, they end up on GitHub and GitLab, sometimes on Codeberg or other instance.
Paranoid section ahead: Don't blindly trust the issues list, closed or open, because there are still ways to permanently delete those, hence giving bad actor a way to hide evidence of the on-going security problem.
I look at the latest release date. At leisure time, I would also go and check repository and issue tracker to see whether something serious is being ignored. If it's crucial for business, I would spare time investigating the source code itself.
I would not necessarily say that many apps uploaded to F-Droid and other repositories are unsafe, because I don't have all that energy to audit anything I use. What helps me to stay on the safe side is reading into things - enclosed descriptions and names may look like a small factor to some, once they tread the sources, but it saves me both the time and trouble. Sloppily written stuff usually implies a sloppy code, a lax attention to details on the developer's side.
How do you people make the screenshots of popups in Firefox? Every time I press
Print Screen
they just keep fading away.