Thanks for the additional reading and information. Maybe it’s just me, but I feel like I hear about a security vulnerability in “processor microcode” or packages or other software basically every day. As a relatively non-technical user, it’s always very difficult to tell how much these things actually matter for normal users. Flatpaks are incredibly convenient because they “just work” and are easily compatible with immutable distributions. For better or worse, I suspect many people are not going to be dissuaded from using them by hypothetical/abstract security risks.
They need to work on their branding. “Cloud Native” triggers images of subscription services and data mining. But the idea here is that the whole OS and its components are all sort of containerized, so you can just pull pre-configured “cloud” images that are guaranteed to work out of the box to your machine.