As of e0974e3, the checksums for the FFmpeg binaries in the ffmpeg-binaries repo are hardcoded in FFmpegService. That will be checked before FFmpeg is ever executed.

As of the same commit, the RAIntegration download no longer blindly follows any address, it has to resolve to retroachievements.org.
RA's API seems to be down at the moment so I can't check if that includes a checksum, but even if it did, it would need to be signed as well (and we hardcode the pubkey).
Though as CPP points out below, the downloader isn't available out-of-the-box, so we don't have to worry about the endpoint coming back online and pushing broken (or malicious) updates.