When you look at an app page on Flathub, you can go to Links → Manifest, which will bring you to a Github repo for the Flatpak version of the app. In there you’ll find a .yml or .json file (the “manifest”) that describes how the Flatpak is built. This is the example for Signal.
In this case, it just downloads the .deb file from the official website and moves the files contained therein to the appropriate directories.
The way to get an app on Flathub is that you make a pull request on Github containing the manifest (the aforementioned .yml or .json file) and some app metadata in an .xml file. The Flatpak file is then automatically built by the Flathub build-bot; usually from source, or in the case of proprietary software or Signal from an official binary. The pull request needs to be manually approved by one of the Flathub admins for it to appear in Flathub.
So as long as you trust the Flathub maintainers in general, and don’t find anything suspicious in the app’s manifest, you should be good.
Sure, however: most users won’t check any manifests, so — there’s only trust left in that case. And manifest can be changed any time by the maintainers. It can be too late when someone takes a notice.
I, personally, can’t feel 100% safe and comfy when using a Flatpak which is not maintained by the official developer(s). Or any software, in general.
Good, then you shouldn’t use Linux at all. Because the vast majority of software running on distros does not get maintained by the official developers of the software, but by some employee or some random volunteer working in their free time as a maintainer of packages of the distro you are using.
I’m fully aware of that. I admit that I don’t like this aspect of Linux — too much is based on just trust. There is, however, almost always an option to download directly from the developer.
I live in a country that is in a state of a war, and I’m against this war. I fully oppose my country and I’m on the side of the country they are at war with. On Signal I occasionally discuss the war with my loved one, friends and relatives. I simply cannot afford the risk of trusting such a significant and intimate thing as a messenger (where I discuss really significant topics) — to some third-party, and not the official developer. I hope you can understand my concerns and the circumstances I’m in. I’m at a very real risk of going to jail (or worse) if someone finds out the fact that I strongly oppose all this hell my country is causing.
The difference is that packages from your distros official repositories doget maintained by someone that you do (theoretically) trust (the team that develops/maintains your distro), and if you don’t trust them, you shouldn’t trust your distro in the first place. Unlike flathub (or the AUR), your distro’s official repositories are not open to submissions from anyone, they are limited to maintainers, and there is a process for becoming a maintainer. I’m sure it is far from perfect, but there is a trust model.
As to flatpaks/flathub, you can see how they are build, its a little technical, but not super super technical. Here for example is the manifest for the unofficial Signal flatpak. I won’t pretend to understand everything there, but I do see that the source flatpak is built from is the .deb version of signal sourced directly from the signals website.