So, this is certainly something that we’re thinking about. And in Seeking contractors for work on Flathub project we’re looking at ways to manage binary uploads from verified developers and have just appointed some contractors to begin working on this, along with a number of other improvements to the developer experience.
I am interested in the question about if the build could result in something different from what you tested, if your manifest it written to the flathub standards it really shouldn’t, although we can’t guarantee fully reproducible builds currently this is certainly something that flatpak is intended to make a lot easier so I’d be really interested in your specific concerns or if there’s anything else you have to share. I love your concern though, this is exactly the kind of problem we believe real developers have and want to help solve!