For root to manage privileges in an OS, isn't a group the most straitforward way?
Can't flatpak read the groups of an user?