I agree the flatpak defaults are not at all secure, as they often let the developer choose what to sandbox. I think this is fair, but the user has recourse: you can globally block all installed flatpaks from having access to a specific resource, even if the app "requests" it.

All my apps by defaults have no /home and no network access. I do this by writing to .local/share/flatpak/overrides/global (per user) or /var/lib/flatpak/overrides/global for the system. I wish this was publicized more. The defacto app for flatpak permissions, flatseal, doesn't have this capability yet to my knowledge.