It's a totally different concern. I don't understand how PPAs and similar distribution approaches (i.e. native packages with hosted build systems) are getting mingled with flatpak and/or snap sandboxing objectives.

You can distribute open source software via flatpak or snap. And you can create a build system that takes open source software as a source and creates a flatpak or snap distribution.

It's totally possible to hide a backdoor in an open source software.

A working sandbox will prevent certain attacks to your system, whether it was built from an open source or not. This already works on most (all?) mobile operating systems.

when was the last time you fully audited a ppa? Like the source, that it builds from the canonical source, all patches it applies, all install scripts it packages and all changes it actually does? The trustworthiness of the ppa author. I know that I at best do cursory checks based on the reputation the author or the source linking to the PPA have, but I'm aware that this is a honor based system, and open source is practically irrelevant to that.

OpenSource doesn't prevent CVEs that allow attackers to take over anyway.

What If you install script has a bug that lets an attacker place arbitrary SUID binaries? Or it has a bug that deletes your entire system (Steam had this bug and the script was open and available, they weren't the only ones either).

I would not really call RPM Fusion a PPA - it's basically a repo with packages that are inherent not open source or patent encumbered and can't thus be in regular Fedora repos (and Copr actually). Otherwise the community maintains it to a very similar standard as the regular Fedora repos.

Compared to that Copr is a real PPA where you can build stuff into personal repo (as long as its built from source, licensing is fine & the thing is not patent encumbered).

This is the perfect and not possible territory. Even with full access to the source, you can't be sure if it's malicious, or if it can be made malicious at runtime.