I worked security while we created and shipped an enterprise linux distro and maintained AT&T Unix.
Flatpaks, even at their best, break Single Source of Truth for installed state. This alone should invalidate them, but they also don’t validate contents against a signed manifest like proper packages will, and so the supply-chain exploits are a huge risk.
But if all your friends do risky things and you need to join them, then you be you.
I worked security while we created and shipped an enterprise linux distro and maintained AT&T Unix.
Flatpaks, even at their best, break Single Source of Truth for installed state. This alone should invalidate them, but they also don’t validate contents against a signed manifest like proper packages will, and so the supply-chain exploits are a huge risk.
But if all your friends do risky things and you need to join them, then you be you.