As a maintainer of another unofficial flatpak:
You can always check the source code of the flatpak (code that downloads the dev then runs it inside the flatpak sandbox) here: https://github.com/flathub/org.signal.Signal
Any of the current maintainers could add malicious code, but that would ruin their GitHub & by proxy:Twitter,LinkedIn credibility.
Flathub have final say on what is built and hosted on their flatpak repository (Flathub != Flatpak) and are able to remove versions at will.