For non open source software, dependencies are often packaged with the software itself, so it would be the same in flatpak or in the distro. It is true for software that uses shared libraries though.
what I don't like with installing it from distro is to pollute my OS and full my /usr/bin with some user app that should live on my /home. But i agree that the security updates are a real issue.
