Why smaller attack surface? Bigger attack surface. For an attacker is way easier to hack a single developer and publish a malicious APK on their GitHub (or alternative) rather than hosting malware on the official fdroid repository.
The first just requires a phishing email (trojanize a random Dev with poor opsec, get his apk signing key and his browser cookies) while the second is way more complex (get full access to fdroid build servers)
Not seeing that option in my pixel 7 with the latest December update (which revamped the settings menu with a different order, placing Google at top instead of bottom)