A lot of Flatpak applications ship with filesystem=home, and this is effectively opens up ways of indirectly getting root access (since you can override sudo by editing .bashrc) or overriding .desktop files (of say system settings) to point to your application instead which a user is more likely to enter their password when opening, or override environmental variables, you get the picture.

It's not as if non-Flatpak apps can't do this either, but the false sense of security from Flatpak may encourage people to download apps they wouldn't otherwise.

Unlike Android/iOS where Google/Apple can push developers to update their apps to use new apis, or say bye bye to those that don't, there's no motivation for Linux app devs to update their applications to use portals to avoid the need for filesystem=home, and as long as that exists people will just install them with a false sense of security.

Flatpak is not a security project, it's an app distribution one (which I think it does a generally better job than native packages, but the bar is low). The sandbox should be considered part of the separation from host dependencies, nothing else.