[incrudible]

> One thing I've not understood about flatpak (or their competition for that matter) is why don't these permissions get prompted when they're used?

The POSIX APIs do not have such permissions. You can attempt to put something in between and have lots of stuff break, that's what Apple did. On Linux, there is no such authority.

There are alternatives as well, such as sandboxing all the way up to using a hypervisor for every program, which is arguably what you need to run an untrusted program.

> We are living in a day and age where applications ask for overbroad permissions for many reasons, laziness, privacy invasion, and even legitimate use.

Fair enough, but Flatpaks are mostly open-source software and closed-source software can be monitored far better on a Linux system.