However in the same way, compromised flatpak app can also put a malicious .desktop file in ~/.share/applications, which also allows execution of arbitrary command, even outside of the flatpak sandbox.
User home permission is just incredibly dangerous on linux, I think we need special permission to explicitly allow access to these folders in home. Fortunately more and more app starts to support portal, which makes them much more secure.
Although, I do wish portal would have a access per session vs access forever option. For now if you open a folder through portal, the app was granted r/w permission to that folder forever.