Comment by mcpackieh

You're missing a big part of the equation: the leopard exists in places where developers can push updates directly to users with minimal if any oversight from commercially independent reviewers. Debian and F-Droid build packages from source given to them by the developers, they don't trust developer builds. Therefore even though these Simple apps have sold to a malware company, that company won't be able to push updates to users. On platforms where this leopard is common, there may be some lip service paid to review but it's almost always completely automated or performed by low-skill contract labor who have no personal commitment to the process.

Another aspect of leopard territory is API churn. On Android and to a lesser extent browser extensions, regular rebuilds are necessary to keep the application up to date. This sometimes necessitates reworking parts of the application, not just rebuilding it. This recurring chore places a constant burden on developers, they can't "finish" an application then forget about it and move on with their lives; doing so would see their work vanish. On the other hand, on GNU/Linux desktops it's perfectly feasible to "finish" an application and leave it unmaintained for 15 years, people will still be able to use it. And on Android with F-Droid, most of the burden of rebuilding applications to keep them running is taken on by F-Droid volunteers, reducing the burnout pressure on application developers.

The conclusion is simple: Strict separation of the developer and packager/distributor roles keeps the leopard away.