Flathub reviewer here. We do not security audit code of any project as thats just unreasonable. The user puts ultimate trust in the upstream projects we just ensure that the right upstream is used, libraries are up to date and sanely built, permissions are as reasonable as they can be, etc.

This is identical to every traditional distro like Debian or Fedora.

I'm assuming you're talking about traditional package managers. Proprietary packages aren't uploaded to the main package repositories from what I've seen. The company will typically provide the packages themselves (e.g., a deb or rpm file), and sometimes they'll provide their own repositories for easier delivery. This has been my experience with Dropbox, SpiderOak, and Sublime Text.

The review is to get your access to publish, not the code submitted. So pass that, package honestly for 6 months, deploy malware.