“likely”: So,
2a. Can someone here say for sure?
2b. If yes, Howto remedy?
2b2. Which Trusted Credentials are necessary for FDroid to download repositories?
Bad security is also when things do not work that should work. I don’t know how details but https://f-droid.org/ has the following trust chain:
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = f-droid.org
verify return:1
So you have to trust at least “C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services”.
But please be aware that this works as long as the current certificate is in place. This can change anytime.