How to: Verify Github downloads?

So I run Linux for a bit now but I am still not fully confident with downloading "random" Appimages or .tar archives (I don't even know how to run/compile the archives but that is another problem lol) from Github or something.

I try to verify the hashes or GPG signatures for all the programs but not every developer provides a latest.yml.

I revently noticed sometimes Github shows a sha256 sum next to the files in the release tab but not in every repo and is this just a second layer or is this a substitution for the latest.yml?

Is there something I am missing or should I not worry too much when using Appimages or Flatpaks because they are sandboxed anyways?