The quality of the flatpak's sandbox has been rightfully questioned many times. The most atrocious thing about it is that it's the app publisher who decides what the permissions should be. Little wonder that if you go to flatpak.org, you won't even see the words "sandbox", "safe", or "secure".

Nor is their FAQ describing their sandboxing as a security feature, more like (limited) isolation technique.

But this isn't stopping flatpak zealots who just won't shut up about the "sandbox == secure" falsehood.

I don't know, I'd rather prefer a technology which is upfront about its lack of security than one which has glaring hole in what they call (a false sense of) "security". I treat flatpaks and appimages as mostly equal things and use them to keep and run proprietary stuff so that I know it won't be shitting its guts all over the host system.