While most Flatpaks by default aren't all tuned up, you can easily set overrides for them, see `man flatpak-override`. There also exist `Flatseal` which is a GUI for doing so.

AppImage can be used with Firejail.

Firejail use is trivial to setup, we try to keep out of box breakage minimal but still strict, just `sudo apt install firejail && sudo firecfg` + a logout and back in. Disclosure: I am one of the core Firejail contributors.

Thank you for firejail! I use it to sandbox Zoom, which is one of the few proprietary tools I need to use for work, and it works perfectly.

Telling people "just use flatpak and you are safe" is plain wrong and dangerous.

Containers are _not_ safe, that's why Amazon created firecracker, and Google created gVisor.

Containers are a _convenience_, not a security measure. All security precautions apply to container apps as any other apps.

Flatpaks aren't docker containers, though. They should be safer. The most glaring hole in most flatpak is X11 access.

There have been some flatpak CVEs in the past, but I wonder what your claim of them not being secure is based on, other than general principles: yes, there could be a bug in the sandbox, but besides that?