It may have attention, but almost nothing uses it (also, it’s not that good security-wise to begin with with developers defining their own permissions), most everything is still just run as your user, having access to your ssh keys, browser caches, everything.
The user is able to, with pretty good granularity, set various permissions through friendly GUIs. Things like Flatseal or KDE's very system settings. You can even override what permissions are set by default, pretty cool stuff. This for Flatpaks.
Of course, using xdg-desktop-portal requires developers to use that API. But honestly, I've seen most software I use asking permissions through it. This is most evident when running some Wayland compositor.
To be fair, yes, the developer needs to do their part.
