They aren’t inherently safe. I don’t have any examples of Flatpak packages off FlatHub being poisoned, but FlatHub does allow “community” maintained packages - as in, someone unaffiliated with the development team of an app packages and publishes the app to FlatHub. That would seem to be a really good place to get into a supply chain if you were a bar actor.

Nothing can ever be always secure.

deleted by creator

Flathub is likely safer than most other places to get flatpaks from, certainly safer than just some random repo you find on some guy’s website somewhere, but no software source is guaranteed to be 100% safe.

No, they are not always safe.

Be picky about what you install, and vigilant about permissions.

Not 100%, it’s not very hard to push packages to Flathub.

On the contrary, downloading files from flathub are never safe because it does not verify signatures, unlike secure package manager like apt

I think so. In some cases the flatpaks are prepared by the developers themselves. This isn’t in itself a sign of trustworthiness, but if a dev were to sneak malicious code in somewhere and it were found out… Well, the internet is the courtroom, and the public the jury, right?

But, it is a piece of software, and you never know what one little dependency can do. Same can be said about repos.

The general community is probably going to catch any issues that pop up extremely quickly. Like my main machines are all on whitelist firewalls residing on external devices. If any software tries to make odd connections, the connections will get dropped and logged. I wouldn’t hesitate to report anything odd. I don’t run sketchy proprietary junk for the most part.

Yes. Flathub aims to replace your distro’s repository as the source for non-system packages.