Comment by Arnavion
It does in the sense that all the applications you install will be via flatpak, so they get sandboxed that way. Of course it depends on how locked down the sandbox is configured for each of those applications.
It does in the sense that all the applications you install will be via flatpak, so they get sandboxed that way. Of course it depends on how locked down the sandbox is configured for each of those applications.
>Apps pretty much uniformly either silently get read access to all your files
This is outdated information. The situation has improved since the publishing of flatkill with flathub loudly warning about permissions and less apps having full R/W access.
Android apps can be configured insecurely too although less severe, still it's the users responsibility to check and modify permission.
In either case it's a substantial improvement from no isolation at all with much easier handling than other sanbox tools or MACs.
> less apps having full R/W access.
Not good enough when apps can still silently have full access to home and /media without the user even realizing.
The S in Flatpak stands for Security.
Flatpak is primarily a convenience mechanism for app makers. Any security boundary you may find in it is optional, all defaults are always toward not breaking apps. Apps pretty much uniformly either silently get read access to all your files, and even when that is not true they often get permanent read-write access to any file you open in them.
Go look at the permissions for GNOME Papers. Try to argue that it's "sandboxed".