It always used to update once you tick the unknown sources box. That box has become a bit more granular, but nothing like normal operating systems. Even if you tick that box, it will still ask you individually for each app if you trust it as a source of apks. It solves the f-droid issue since f-droid has some signature checks internally. So it's ok to trust f-droid on the whole as an application. However, android has no notion of gpg keys the way regular linux distros add repos/ppas. So you can't add someone's gpg key as a trusted source. If you download an apk in your browser, it will ask you if you want to trust the browser as a trusted source, which is like the universal set of apks.