that's not how the Play store (or Android) works. Moxie signs the APK, phones will only install updates that are signed with the same certificate as the version they already have. Google cannot modify apps.
Edit: In contrast, the F-Droid builds were built and signed by F-Droid, so they could at any time include any code they wanted. Whom do you trust more, the developer or some alternate app store?
Google could also distribute a differently signed apk to selected users. And there's no way for users to check the signature of an apk (if they didn't have it installed before).
And I certainly trust an open source project much more than a US company.
But that angle of attack only works if they target you from the moment you first install the app. It would be much easier to just push a modified Google application update to your phone if that is what they wanted.
What it boils down to is that with the Play store, you can be sure that you're not getting malicious updates from some intermediary, as each developer signs their own APKs, and Google doesn't have the keys. Whereas if f-droid is compromised, all applications they build are compromised. That's a much greater risk.
Edit: In contrast, the F-Droid builds were built and signed by F-Droid, so they could at any time include any code they wanted. Whom do you trust more, the developer or some alternate app store?