If RPMFusion ships configuration for other repos, the package should
also include the GPG key, set gpgcheck=1 and include only the intended
packages with includepkgs to minimise security problems.
I have done some examples in the system-config-repo upstream, all
includes the gpg key. (and system-config-repo has some basic tooling
to inspect it, should be improved).
All examples I have looked into so far, is basically just to make a
specific application available. As long as this is technically sound
(no idea, never used this one) the includepkgs idea looks great to