I'd say looking at exchange listing to verify if a project is legit is probably one of the worstrways to determine that.
Exactly and I tend to agree with this, even though listed on a big exchange the chances of getting scammed are still there.
IMO, it matters on transparency.
Everything should be transparent, from the team, and community engagement, and the last is you can verify on Github because it is an open-source project. Open-source projects allow the community to review the code for transparency and security.