I haven’t seen much discussion about this other than people recommending to verify the APK installation for the first time. Another argument was that you have to trust each developer individually not to release a malicious update. If you are using their app it means you already trust them so I don’t see how this argument applies. Are there any other downsides that I am not aware of?
I was planning on using Obtanium anyway. This leads me to another question, would it be better to use the self-update functionality for apps or just use Obtanium? My way of looking at it is that If use Obtanium (even for a self-updating app), I have less apps with the “Install unknown apps permission” which reduces my attack surface. Is my point of view correct?
How would I know if the app does that?
This is not true, Android always verifies the signature of app updates, including updates downloaded via Obtainium. You should use Obtainium (for the reason you mentioned @anon5233878, to reduce the number of apps with extraneous permissions), unless the self-updater is much faster than Obtainium for some reason or something.