Notification sandbox hole
Both the manifest here and the one at flathub¹ have
"--talk-name=org.freedesktop.Notifications",
I don't see any use of libnotify so this should be removed. GNotification does not need the hole to work, but I don't see any use of it either.
Edited by Maximiliano