This is generally good advice. Would you run the program without a sandbox? No? Then you probably shouldn’t run it inside a sandbox either.
You can never be sure that the program isn’t using a flaw in the sandbox to break out or is just piggybacking onto a whitelisted action that is required for the program’s basic functionality.
And if some program requires r/w for your entire home directory and network access then you might as well not use a sandbox in the first place because it can already do everything useful that it needs to do.
I have a handful of applications from Flathub I trust, but that’s it.
I don’t see Flatpak as a security mechanism and I don’t treat it like one.
This is generally good advice. Would you run the program without a sandbox? No? Then you probably shouldn’t run it inside a sandbox either.
You can never be sure that the program isn’t using a flaw in the sandbox to break out or is just piggybacking onto a whitelisted action that is required for the program’s basic functionality.
And if some program requires r/w for your entire home directory and network access then you might as well not use a sandbox in the first place because it can already do everything useful that it needs to do.