Signed developer certificates protect you from MITM attacks, it does not protect you from the sources themselves being compromised.

Very true, and that’s why f-droid building from source can only guarantee the apk matches the source, but you still need to trust someone else (or yourself) to study the source and confirm nothing shady is going on, which of course isn’t something most people would do for any open source app they install.

Still, for “high profile” cases it just take one (independent) person to go through the source and publish their findings.