You need to track and install updates on your own, including critical and security related ones.
Also this configuration is problematic to support as you cannot report related feedback or issues to Fedora resources.
You can use the upstream directly — I’d actually recommend the Flatpak for that (in this case, that’s published by Mozilla officially). Firefox Flatpak.
The version we ship is built to match Fedora policies, and may have some local fixes. The Fedora maintainer for Firefox (funded by Red Hat to work on this) is one of the (if not the) top contributors to keeping Linux support in good shape in upstream Firefox. So, there is a pretty tight connection, and therefore either way should be fine.
Other projects may be somewhat different depending on how that upstream ↔ maintainer relationship works.
I had issues in F37 with video acceleration. YouTube was almost unwatchable for example. Lots of stuttering, stuck frames, or flickering. I assume it was related to video acceleration being removedfrom the official AMD/Mesa drivers, but I never confirmed it. When I tried the official Flatpak version it worked perfectly, and that was good enough for me. (shrugs)
It is a minor point since both firefox should have sufficiently secure configurations by default, but Fedora’s Firefox is aligned with Fedora cryptographic configuration, which is a little more focused on security than others.
The major difference that users might experience here and there is that there are two TLS 1.2 standards, an original and a revised 1.2. The original Firefox intends to achieve best usability and still accepts the old 1.2, whereas the Fedora Firefox rejects connections to servers that focus on the old TLS 1.2, but of course it accepts the revised TLS 1.2. We had such a case already on ask.fedora, where a user was wondering.
However, generally you can re-configure Firefox. So this is just about defaults. Also, my perception is that the original TLS 1.2 is no longer widespread anyway. And even if a page still uses it, it is not as easy to break like WiFi WEP or so: it is more that the original 1.2 when deployed server-sided can end up in a key (“SHA1” is the problem) that does not fulfill best practices and where we cannot guarantee that it cannot be broken at some point later (not sure about today when it comes to massive computation powers if you are the archenemy of some powerful intelligence agency )
Just some complementary points about pros and cons