F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.
BOINC has been around for decades and no project containing malware has ever happened. Ultimately you have to trust the BOINC project you are running code from. Most of them are run out of major universities or research institutes.
BOINC also features code-signing to prevent mitm attacks or somebody breaking into a project server and distributing malware that way. Projects are encouraged to keep the signing keys on an offline machine or at least a different machine, which probably generally is what happens. Most developers do their coding work on one machine and then publish that to a server. Using your server for development would be inconvenient and questionable practice.
With Android specifically, I don’t know the extent to which malware could even do anything as there’s built-in sandboxing.
BOINC does also have a sandboxed mode available on Windows, but it will prevent BOINC from using your GPU if you want it to do that. On Linux, BOINC typically runs as an unprivileged user.
How do I know a Boinc project doesn’t have malware?