Security of unverified flatpaks

I have asked three questions: 1. What measures does Flathub take to prevent a malicious, established Flathub contributor from updating the manifest with a malicious source? 2. What happens if a malicious contributor were to change the source URL to a malicious domain? 3. If (2) were to happen, would the users of the compromised flatpak be alerted somehow? I do not understand your answer in relation to any of these questions. Do you mean to say that it’s unreasonable for me to entertain the idea of Flathub employing supply-chain attack prevention measures and harm mitigation responses, in the case that the application package is not published by its developer?