If it is https then nobody is replacing the file in transit (most likely)

If it is https then the file is probably actually from the domain your trying to download from. When in doubt check the checksums .

For fdroid just retry the download install loop and let the app do the checks

It’s worth checking the checksum when downloading a file on the internet. Moreover, every time you don’t download from the official site, you may get some extra “spyware” tons of company basically live out of distributing bloated version of free software with commercial addons collecting some data or showing some ads.

But using tor doesn’t make it more dangerous than not using it (it would be an extra safetly layer)