I was thinking about downloading KeyMapper before seeing that it is really asking for large number of permissions, And in the same time i was downloading DangerZone with the size of 797MB which make it harder for me to scan it specially using Virustotal.
My question is how to trust those projects without being able to be fully sure they are not malware or privacy nightmare?
There is no surefire way, this exchange may be of interest to you: Is it safe to install a "companion app" with a Firefox extension? - #17 by Average_Joe
As i said in one of my replies there:
There is no way to be 100% sure, but if its actively supported and generally well known it tends to be OK. One place i like to take a look at for software is the Arch Wiki – it has lots of recommendations, but you should always do your own research as some of the recommendations/suggestions are unsupported.
As an Arch user, I usually obtain software from the Arch official repositories, and if it isn’t there i will go to the AUR. I know that is blasphemous to many privacy and security concerned people due to it being community run, essentially untrusted and whatnot, but i like the OS integration. Also, i always thoroughly vet the software before installing, choose AUR packages that many other users use, look at the AUR packager’s other AUR packages and read the PKGBUILD before installing
The main things that you should do is research the software, choose (when possible) open source options, and choose widely known software.
I consider Dangerzone a trusted application. It was created by the journalist Micah F Lee, known for his work on the Snowden leaks, and seems now to be further developed by the Freedom of the Press Foundation.