Yes it does. I go from trusting one vendor (with one key) to install one package (and dependencies) to one 3rd party repo (with one key) to install N packages, and the owners of the 3rd part repo don't verify the uploaders to their repo.

That's going from trusting 1 person to trusting thousands.

There is nothing stopping one repo containing one app+runtime.

Sure, just like there is nothing stopping them doing the same with apt/yum/etc... the things is that they don't. SO if they stop publishing their native packages and push to a handful of central repos I'm forced into a 1:N trust situation rather than the 1:1 it should be.

But they do? VSCode, Spotify, Chrome, etc are all custom repos just for their software.

Are they? I can't find the existence of a flatpack repo for any of those apps, all are just in global flathub/snapcraft repos. I'm happy to be wrong but I can't see anything that backs up your claim.

Spotify: https://www.spotify.com/uk/download/linux/

Chrome: https://www.google.com/linuxrepositories/

VSCode: https://code.visualstudio.com/download