Because a vulnerability in one DE’s file manager, for example, will have smaller impact because many people don’t use that DE.
Same with other things.
Also because that’s something we still had to worry about.
Flatpaks are more secure than system packages. They’re not installed with installation scripts that run as root (and can therefore do anything to your system if malicious code is slipped in.
Not all package managers even run install scripts (from packages) at all.
Flatpaks may contain vulnerable versions of libraries bundles, IIRC. While the one from the normal package manager has been updated.
Flatpaks also have sandboxing. It’s not a perfect implementation mind you, but it’s better than zero sandboxing.
I just don’t like the general direction of this. Running more and more complex and untrusted crap and solving that with more complexity.
I don’t know why you’d be certain of that. New stuff is generally designed from the ground up to be more secure.
More complexity - bigger probability of mistakes. Sometimes fundamental laws are enough.
Look at the absolutely cataclysmic security catastrophe that is X11 compared to Wayland.
I’m afraid of the day that may come where people will say that Emacs is a security catastrophe due to lack of isolation.