Surely the sane thing to do security wise would be to mark each flatpak as needing config files foo and bar, and sticking those into the sandbox as well on launch. The app itself doesn't need filesystem access at runtime. Linux apps suddenly not reading standard config files on my system would be a pretty big downside.
I think part of the issue is that technically you cannot guarantee that config files written by the system-installed toolkit can be safely used by the flatpak-shipped toolkit. This said, I think flatpak actually makes an effort to use the ones available in the user’s home folder, whereas snap just does its own thing and screw everyone else.