I read a thread from recommendations
It seems I should better lean to tech giants or highly popular FOSS with many eyes watching. So the chance someone indeed cares about security is higher. At least making sure that libraries with severe CVEs are updated.
AmazeFileManager looks like one I can trust.
Regarding threat model, I consider remote attacks, not physical access. I skip apps with no updates for >1y, simply to “stay updated”. I don’t know technicalities of it, just follow general safety recommendations like this. Exploits can be bizarre and you would never guess it’s even possible to hack this with that.