Rest was sufficiently explained, will just add a little bit more scary stuff regarding OpenRepos. Thanks to no policies and no QA, you can upload there rpm that does pretty much anything. You completely trust packager and openrepos as during installation, package has a root privileges on your phone - can brick it if it decides too.

Also AFAIK rpms from OpenRepos are not signed so if some attacker gets access to the server, he can infect popular rpms without developers knowing.

So, good intentions and given Jolla store policies and such really useful, but potentially big security hole.