Software is distributed on Linux as an AppImage, which has no native sandboxing and should be considered untrusted.
Best practice for releases are publishing a PGP public key on a keyserver and offering a signature file created with this keypair alongside each release. This allows user to verify with some confidence that the binary is genuine and was not forged or altered by an attacker.
Cheers