As I understand it if you take this code, and the binary blobs of the code that does stuff like video calls, you can verify that's what is inside your Play Store APK.
Now, if you're a tinfoil hat wearer obviously you can consider that maybe the video call code secretly reads your messages and sends them to the FBI, or indeed that the Android OS just ignores this APK and when you install it you get something else entirely anyway.
But it sure looks like the source code is in fact for the app you get.
It would be nice if Android let you check the hash of the APK against a Binary Transparency log hosted by a third party. Google have even written extensively about this idea:
Android does verify that any new versions of an APK are signed with the same signing key as previously installed versions. So you would have to compromise the signing key held by the developer in order to push an evil APK.
As I understand it if you take this code, and the binary blobs of the code that does stuff like video calls, you can verify that's what is inside your Play Store APK.
Now, if you're a tinfoil hat wearer obviously you can consider that maybe the video call code secretly reads your messages and sends them to the FBI, or indeed that the Android OS just ignores this APK and when you install it you get something else entirely anyway.
But it sure looks like the source code is in fact for the app you get.