Your understanding is basically right.

Nothing has suddenly become less secure in Debian or Ubuntu themselves. What has really changed is how web browsers behave, not how Linux packages are protected.

Earlier, browsers were relaxed about downloading files over normal HTTP. Now, modern browsers are much stricter. If you try to download a .deb file over HTTP, they warn you or block it because the connection is not encrypted. From the browser’s point of view, any software downloaded over HTTP could be modified while travelling over the network. However, Debian and Ubuntu never depended on HTTPS for security in the first place.

APT uses a different security model. Every repository and package is cryptographically signed. When you install a package using apt, it checks the signature and verifies the checksums. If anything was altered, apt will simply refuse to install it. This protection works even if the download happens over plain HTTP.

So the same file can look:

unsafe to a browser, because the browser only sees an unencrypted download

safe to APT, because APT verifies the signature and integrity

When you manually download a .deb file in a browser, the browser does not verify Debian/Ubuntu signatures. That’s why browsers warn you — not because the package is bad, but because they cannot validate it the way apt can. Your old workflow wasn’t really dangerous, but it was never ideal either. Manual .deb installs bypass dependency handling, upgrades, and signature checks unless you verify them yourself. It worked in practice, but it was always more fragile than using apt.

So yes, your suspicion is correct:

Debian and Ubuntu repositories are still secure

APT security has not changed

Browsers have become more strict and opinionated about what they allow you to download.