actually this does not concern wallets at all because technically you should not even care where you download the binaries from because even if you download them from the official website it still is not safe until you cryptographically verify its digital signature.
the only thing that you should ever worry about is acquiring the real public key of the developer. then you could even receive the binaries in your Email from someone and check the signature with that public key. as long as PGP is not broken (which it is not) there is no way to fake this.

those people who got scammed (mentioned in the comment you quoted) got scammed because they never bothered with signature verification ever.