There are portals: docs.flatpak.org/en/…/desktop-integration.html#po… . they allow secure access to many features. Also any flatpak app still has access to a private app-specific filesystem, just not to the host.
Doesn’t work for all applications but for many sand boxing is possible without a loss of features.