This a followup to an old thread about flatpak sandboxing and Chromium that died without resolution.
Chromium based flatpaks now ship custom patches to adapt Chromium’s sandbox to the flatpak sandbox. These patches have not undergone upstream security review. In fact, according to some sources they might even weaken Chromium’s security compared to the DEB/RPM distributions of Chromium, which would be a significant problem because the web browser has the largest attack surface of all user applications. Is there any truth to that claim?
In short, it’s up to the Chromium flatpak maintainers to convince Chromium developers to upstream their code and/or figure out (with them) what is missing in flatpak-spawn and open relevant feature requests or merge requests in flatpak.