Aurora offering "update" for suspicious app from Play Store with same package name as installed F-Droid app

Aurora has started offering an update for an app I have never seen before: https://play.google.com/store/apps/details?id=com.zionhuang.music

I presume this is due to it using the same package name as the F-Droid app it has ripped off which I do have installed: https://f-droid.org/en/packages/com.zionhuang.music/

Is this not a security risk, and is there any way to prevent this exploit happening in general?

Note that I do have the "Filter F-Droid apps" option enabled, and it does not seem to suffice to prevent this from happening. It also looks like this filter is not effective if there is a newer version offered by the Play Store than what is on F-Droid? For example, Aurora is currently offering to update my F-Droid installed apps LocalSend, phyphox and Open Camera, presumably because they all have newer versions in the Play Store than what is on F-Droid? I can open a separate issue for this if desired.

Tested on Aurora Store v4.3.5 running on Android 8.

Edit: Temporary workaround is to manually add the F-Droid app (in this case InnerTune) to the Aurora blacklist manager.