From https://developer.android.com/studio/build/dependencies#dependency-info-play:

When building your app using AGP 4.0.0 and higher, the plugin includes metadata that describes the library dependencies that are compiled into your app.

The "Dependency Info Block" this adds to the APK Signing Block turns out to be different every time a signed APK is built -- even if the signature and everything else is bit-by-bit identical -- making the build not reproducible.

If I make 2 copies of an unsigned APK and sign each separately with apksigner (using the same RSA key) I get 2 bit-by-bit identical signed APKs.

$ cp -i unsigned.apk signed-1.apk
$ cp -i unsigned.apk signed-2.apk
$ apksigner sign ... signed-1.apk
Signed
$ apksigner sign ... signed-2.apk
Signed
$ shasum signed-*.apk
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15  signed-1.apk
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15  signed-2.apk

But if I use Android Studio (or a Gradle signing config) to build a signed APK (from the same commit and using the same signing key), it will add the Dependency Info Block, which is not deterministic, and thus I never get bit-by-bit identical signed APKs.

Since this block is "encrypted by a Google Play signing key", I have no way of inspecting it to find out what is different every time.