That's interesting. So is Flatpak actually secure against malicious code? That is, would you trust running malware if it's packaged as Flatpak?
I'm saying this because we're talking through a platform that is trusted by the majority of pepple to run malware - the web browser. We don't manually check if the Javascript or Wasm code is good or bad before we visit a web page. Few people disable scripts altogether. We could have this level of trust in applications running on our system - but does Flatpak deliver it?
I wouldn't say that Flatpak is secure against specifically designed malware - applications can still run machine code directly on the CPU and make Linux system calls, and so could exploit any vulnerabilities (like privilege escalation) that they might have. However, I would certainly trust Flatpak to protect me against excessively snooping applications which are otherwise legitimate, which it can do by limiting access to specific filesystems or devices.
For JavaScript, web browsers have good sandboxing, but arguably also have a smaller attack surface than Flatpak because the page cannot run system calls directly. I don't yet know enough about WASM to know if that tangibly changes the situation.
I'm saying this because we're talking through a platform that is trusted by the majority of pepple to run malware - the web browser. We don't manually check if the Javascript or Wasm code is good or bad before we visit a web page. Few people disable scripts altogether. We could have this level of trust in applications running on our system - but does Flatpak deliver it?