The official F-Droid repo is served over HTTPS, so only F-Droid will know what app you are downloading.
However the repo has a few mirrors, so it is possible that they might be informed of whatever apps you are downloading.
However any third parties, such as your ISP or government, in theory should not be able to learn what apps you are downloading.
Please see the originally linked:
@hans (or anyone else)
Is malware scanning of the apps no longer performed?
I thought they were passed to VirusTotal at some point.
I know Fedora scans all packages with ClamAV when built in Koji.
(edit: hmm maybe not anymore? https://bugzilla.redhat.com/show_bug.cgi?id=1564915)
Ignoring the obvious short comings of it.