Disclaimer
Flatpak uses OSTree, like Fedora Atomic Desktops (Silverblue, Kinoite etc) and similar to BTRFS snapshots.
So many files are deduplicated and linked, not actually there
https://gitlab.com/TheEvilSkeleton/flatpak-dedup-checker
50GB without
31GB with deduplication
21,4GB with BTRFS compression
So you dont have isolation from the system and a working permission system anymore…
If I need isolation, I can use fire jail. And I don’t know why I think they don’t have a working permission system. It works perfectly fine.
Firejail has some major vulnerabilities if you want to be secure. Bubblejail would be preferred but it has even less documentation not to mention presets like with Flatpak. So you need to sandbox every app yourself afaik
This is news to me, one of these major vulnerabilities?
https://madaidans-insecurities.github.io/linux.html#firejail
https://seclists.org/oss-sec/2017/q1/25
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firejail