That’s not my point. I use Flathub but I try to only use verified apps which were packaged by the actual dev.
I’d rather get a deb from the official dev than a flatpak from flathub packaged by someone who is essentially anonymous and could easily inject malicious code.
If you think the dev himself could inject malicious code in the official app, then you should be super aware that an anonymous Joe can too, and is far more likely to.
Anyway flatpak ideally was supposed to save Devs the work of packaging for every distro so it makes sense that the real actual verified dev of the app would package the flatpak/snap himself