de-Googled ROMs / App Stores | Aurora Store vs App Lounge

Hello,

(not sure if this should be posted here, or in Q&A forum)

I've been using alternative Android ROMs on my Linux phones for the last 10+ years (mostly CM/LOS). Recently, after watching some YT videos, I found that the concept of fully de-Googled is more than a concept these days. Since I don't really use Google's apps other than Play Store, and everything else should be taken care of by microG (which if I understand correctly is FOSS implementation of Play Services, that should also supposedly pass SafetyNet check), I decided to give it a go.

As far as I can tell, the most popular de-Googled / privacy-focused ROMs are GrapheneOS, CalyxOS, and /e/. In my case, /e/ is the only one I can officially use on my target Poco F1 device.

The issue is, that I still have to get apps from somewhere (and I'm not that much into FOSS, to use just F-Droid apps). Here the main choices are:
1, App Lounge (FOSS, built-into /e/ ROM, downloads apps from both Play Store and F-Droid) --> https://doc.e.foundation/app-lounge
2. Aurora Store (FOSS, downloads apps from Play Store only) --> https://auroraoss.com/
3. F-Droid (FOSS, dedicated for F-Droid apps only) --> https://f-droid.org/

The problem is, that it is really difficult to find any credible resource that would compare those; I'm especially interested with security aspects of those solutions (first 2 ones in particular). I mean don't get me wrong, I don't think that FOSS app can just inject malicious code without anybody noticing it (especially the one ones that are up in public for t hat amount of time with so many potential eyes on it), but I'm more afraid of external resources they may or may not be using (more on that later) or some incidental bugs. Just to be clear, I can live with certain app being updated a little later, but I find being completely locked out of updates for eg. my baking app (!) or downloading it from unknown/malicious source (!!!) to be completely unacceptable. In other words, I'd like to get apps from Play Store from as-official source as possible, with as minimal in-the-middle tampering as possible, any third-party user-based manual apk upload (like APKMirror) is out of the question. For FOSS apps, I can continue using F-Droid (having 2 stores for 2 separate app sources on one phone is not an issue for me).

That said, here's what I was able to determine so far; note, that I'm not a dev or security expert, just an enthusiast, so feel free to correct any misconceptions.

App Lounge
At first glance, this is a perfect choice for me, it supports both sources (Play Store and F-Droid). However it seems to be using something called `CleanApk` to obtain them, and here's when things become really confusing to me:
- The official doc claims that it is a source for closed-source apps. It even mentions the possibility to create store page for your app (!) as well as it asks users to report malicious apps (!!!). Call me paranoid, but to me it looks like anybody can just create scam banking/Facebook/whatever app and get it published (as there is 0 mention of any verification process, be that automatic or manual). Also, I don't see any info as to where those closed-source apps actually come from, and the entire info page really lacks any detailed info. Not to mention, that source / motivation / community / author / anything about this API is a mystery to me.

- When it comes to official App Lounge's doc, it seems like it does NOT in fact use `CleanApk` for Play Store apps (?), but if that is the case then I'm confused as to why they are using it for F-Droid ones:

- This part from official App Lounge doc also kind of confuses me, because it mentions that verifying app's signature is not easy when it comes to Play Store, but it is under the `CleanApk` question, which should not be used for Play Store apps (?); on the bright side, it seems like they working towards ditching `CleanApk` altogether, but AFAIK it hasn't happened yet.

- There is a lengthy 2-part article (actually the only external piece about App Lounge I could find), which doesn't exactly inspire me with confidence to App Lounge (actually /e/ rom in general...) --> https://nervuri.net/e/apps ; the upside is, it shows some progress over time in general, but the fact that anybody at any point thought that using shady API (that might supposedly be using `APKPure.com` as a source...) makes me really worried; note that even though it is written by "somebody from the internet" his concerns make sense to me (though again, I'm not any sort of expert). Also I don't want to have to read change-log or analysis after every system update to potentially find out that they flipped and started using something different again.

Aurora Store
The upside of Aurora Store is, that it is older, was posted on XDA and github couple years before App Lounge; it is based off some other project, that is even older. It is also independent from /e/, in fact it has been used in other ROMs (eg. CalyxOS), so I think it may be more stable and tested. However, here the issues are:
- As opposed to questionable resources/doc for App Lounge, there is basically almost no info about Aurora Store. The page itself has only download links, there is also a Github page, that links you to FAQ, that doesn't exist, and to XDA page that seems to be outdated. Generally, every official resource seems to be inconsistent in some way (like XDA page mentions work in progress when it comes to some features of V3, when 4.x.x was released years ago), so it's hard to determine how it actually works. I am about 99% sure, that it uses Google Play API as a source (which is mentioned on YalpStore page which Aurora is forked from) but I haven't found it explicitly stated anywhere in Aurora Store (the best we get is that it is "FOSS client to Google's Play Store"). That said, I hope this is just my nitpick, as it is FOSS and is used by some other ROMs, so I hope that somebody read this code.
- Last commit is from 2021, so it seems not to be in active development. It is fine with me, as long as it is safe and works, but I'm afraid it might be abandoned, and break in case of any changes to Play Store API (as opposed to App Lounge, which seems to be in active development alongside /e/ ROM itself).
- Since this app is completely independent from /e/, I wonder how would system apps in /e/ itself get updated without App Lounge active.

Practical tests
I have decided to use my secondary cheapo Pixel 3a as a playground for /e/ ROM, installed Aurora and F-Droid on the top of pre-existing App Lounge, and started comparing the behavior. Since both are supposedly using Google Play Store (though again, not 100% sure), you would think, that results for "closed" apps will be the same. Well, mostly yes, but there seem to be some edge-cases / exceptions.

Notes:
1. I'm not promoting any of those apps, those are just examples.
2. All tests done on the same physical device (Google Pixel 3a), around the same time, using the same network.
3. Device rebooted, and all apps force-closed right before the tests.
4. F-Droid: 1.16.3; App Lounge: 2.4.8; Aurora Store 4.1.1.
5. Checked version and sometimes update date, I wasn't interested in description, comments, etc.
6. Obviously I haven't checked every possible app, just some examples that I though might be problematic.

Results were:
1. First I tried a few "big" apps, no surprise here, the all seem to return the same version (checked FB, YT, Netflix, FB, Steam etc. not that I use all of them). For example, Steam returned 3.5 (2023-02-24) in both clients.
2. The only exception that I was able to find, was actually TikTok, 28.9.4 in App Lounge, and 29.0.3 in Aurora Store; maybe this has something to do with ban or source of this app, but again, I'm checking on exact same phone using the same network.
3. I decided to check some lesser-known but frequently-updated app, and the only one I could think of, that would fit that criteria was FairEmail. This example is also interesting, because it is hosted in both Play Store and F-Droid. It turned out, that both Aurora Store and F-Droid featured the same version (1.2060), but App Lounge had only 1.2052. I should also point out, that this app gets very frequent updates sometimes, so it is strange that App Lounge seems to have missed probably ~8 versions (albeit over short period of time).
4. I started checking some Poland-specific apps (though quite popular ones), and I was able to find at least one irregularity being Allegro app: 8.11.1 (2023-03-21) in App Lounge and 8.13.1 (2023-04-05) in Aurora Store.
5. I also checked some older and lesser-known apps, and for example Cyberlords game exists in both stores in the same 1.0.8 version (last updated in 2020).
6. On the other hand, quite ancient ADW Launcher (last updated in 2018) does not exist in App Lounge at all (it cannot be found), but can be installed from Aurora, I also confirmed that it actually still exists in Play Store.
7. I also checked some very niche Polish-specific app Semafor, it exists in both stores, can be found, the same version.
8. I was also able to find that one of the old games Move the Box by Exponenta (last updated in 2017) exists in Aurora Store, but is nowhere to be found in App Lounge.
9. The same goes for Rss Reader by Svyatoslav Vasilev, which is not even that old (and includes commercial/donate version) exists in Aurora Store, and is missing from App Lounge.

Link to screenshots -->

Conclusion/questions
1. Which store would you recommend based on everything I provided? From my side, I'm leaning towards either Aurora Store, or coming back to Google Play Store.
2. Where do those apks come from in the end, am I understanding correctly that in the end they should come from Play Store API in both cases?
3. When it comes to my tests: am I missing something here? If the official descriptions (or rather my assumptions) are correct, and both of those clients are using official Play Store apks accessed using likely the very same API, them how would that disparity in versions or visibility would even be possible?
4. Any other Play Store alternatives, that I missed?