The Service Worker doesn't simply check a signature from the developer, it checks the source code against the version on GitHub. So, to know whether it contains a backdoor, read the code on GitHub.
It's similar to the keybase.io identity model (using popular services as defacto authories). It might be overkill but it could be nice to supplement that with a check of the repo mirrored on e.g. Bitbucket and Gitlab.
Yes, definitely. GitLab's API is very similar to GitHub's, except that it doesn't support CORS. If that's fixed it should be pretty simple to add support for GitLab.
I wonder what do they do with Service Worker updates that the browser normally does every day or so. Do they somehow block install and activate events? If not then the attacker just needs to update the worker and the history repeats.
There's no way to block activate events, but there's a way to delay them. In the meantime, you can check the new Service Worker file against GitHub, and if it doesn't match, warn the user.
But how would you know an app developer wasn't compromised and signed the next version with a backdoor also?