Awesome! Perfect explanation. Thank you sir.
So while we do know https://dl.fedoraproject.org and https://mirrors.rpmfusion.org are trusted sources, allowing the gpgcheck to run would protect us in the rare case something was compromised on these web hosts, right?