Publisher matters. Some random website advertising a disk cleaning utility could be malware while a Fitgirl repack most definitely isn’t. Installing something from an official Ubuntu software repository is also pretty safe, while something from a 3rd party repository or community development library could be malware. I also generally trust PDFs from Anna’s Archive and Libgen or Internet Archive, because of the reputation loss to them if it were. You can minimize your risk to a tolerable level this way.

In that instance maybe run docker with gluetun and qbitnox. It’s a bit difficult to setup but will sort of achieve what you’re looking for.

Can you set the interface in qbit to tun?

I call them after what service is running on it. E.g. openvpn.