The idea is to leverage the web of trust for security and curation, so there's no "one size fits all" authoritative approach like all the current app store models - it's all weighted by who you follow/trust. Having curators is not a requirement.

That said you are right in that curation could remain important piece of the puzzle. Many people don't have the time or expertise to judge a developer or a result of a malware analysis DVM. So what I mentioned about NIP-51 lists could be even bigger than I thought.