Why smaller attack surface? Bigger attack surface. For an attacker is way easier to hack a single developer and publish a malicious APK on their GitHub (or alternative) rather than hosting malware on the official fdroid repository.
The first just requires a phishing email (trojanize a random Dev with poor opsec, get his apk signing key and his browser cookies) while the second is way more complex (get full access to fdroid build servers)
context: now that he’s dead and no longer controls many media outlets in UK, it came out that Mohamed Al-Fayed raped over 100 female employees
that conspiracy was pushed by him and his media outlets