I cannot prove that I can’t pick a lock (I might simply fake an attempt and intentionally fail to do so). Similarly it isn’t possible to prove that something is secure. I can only point out known flaws.
No security is perfect, but to date, Apple happily advertises the fact that no malware has been discovered and reported that has broken Lockdown Mode protections.
Apple Lockdown Mode disables the features abused by ‘mercenary’ and government malware in order to reduce the attack surface.
Almost all websites and even some apps stop functioning altogether. It can be ‘disabled’ for specific apps and websites, which thankfully gets my banking app to work, but not everything does. Some people will never notice its restrictions others will find it completely unusable.
I’m mostly referring to forums as a malware vector. But it applies to any point where you download any software or app.
The forums might be competely malware free, but I have to consider who I’m getting the software from and what I can do to verify it. Especially if it’s an operating system or firmware.
I can verify that I’m on the correct forum website, but I cannot verify a forum user. I have to trust the admins to figure out whether the uploaded files contain malware and then trust them to remove it or prevent it from going public.
I can verify the official F-Droid and GrapheneOS websites and I can test to ensure that the file does in fact come from their website and hasn’t been altered.