Every package's install script has root access to your system, so the mere act of adding a PPA or installing a package from one is an implicit statement of trust on your part of the PPA owner.
So, what happens if your trust is misplaced and a PPA owner wants to be naughty?
In order to upload to a PPA, a package must be signed by a GPG key unique to the launchpad user (indeed, the same key they signed the code of conduct with). So in the case of a known malicious PPA we would simply ban the account and shut down the PPA (affected systems would still be compromised, but there's no good way fix them at that point anyway).
To some extent Launchpad's social features can be used as a bit of a preventative measure of bad users -- someone who has a history of contributing to Ubuntu and some established Launchpad karma, for instance, is less likely to be setting up a trap PPA.
Or what if someone gains control of a PPA that isn't theirs?
Well, this is a bit tougher of a threat scenario, but also less likely since it requires an attacker getting both the launchpad users's private key file (generally only on their computer) as well as the unlock code for it (generally a strong password not used for anything else). If this happens, though, it's usually fairly simple for someone to figure out their account has been compromised (Launchpad will for instance email them about the packages they're not uploading), and the cleanup procedure would be the same.
So, in sum, PPAs are a possible vector for malicious software, but there are probably much easier methods for attackers to come after you.
Best Answer
If you boil this back to the simplest terms:
An official repository is one published as part of Ubuntu, managed by Canonical and Ubuntu MOTUs.
They currently consist of main, restricted, universe, multiverse, partner, extras and some exist in multiple "states" (-proposed, -updates, -backports, etc).
The repo names might change in time but the point is that these are .
On mirrors: The contents (MD5 hashes of files, etc) of the repository are signed with the Ubuntu key so even if you're pulling the official files from a non-official mirror, you can be fairly certain that they are the original files.
You can't implicitly compare security levels between a Launchpad PPA and another non-official repo hosted elsewhere. It all boils down to how much you trust the person running the repo.
The difference is with a Launchpad PPA, you can see the person who is packaging things. Most times you can see the source. In other repos (eg: dl.google.com or repo.steampowered.com) you likely know neither.
Trust is an odd thing.
Feature-wise a repo is just a particular structure of directories and files, hosted on the web. The only special features I've ever seen are authentication to allow only people who have purchased software to download it but this very basic web server security and hardly special :)
This is perhaps the biggest of the questions and it's probably best answered (if indirectly) by another question: How to get my software into Ubuntu?
Official repo software is supposed to have a development process behind it. Levels of testing that ensure quality and an amount of peer review. PPA maintainers can encourage this sort of process but it's not something you can assume. Some are better than others.