GNOME Software should show permissions before installing flatpak
When you manually install a flatpak via command line it shows you this:
$ flatpak install flathub ind.ie.Gnomit
Remote ‘flathub’ found in multiple installations:
1) system
2) user
Which do you want to use (0 to abort)? [0-2]: 2
Installing in user:
ind.ie.Gnomit/x86_64/stable flathub ae8df0030467
permissions: ipc, network, wayland, x11
file access: host, xdg-run/dconf, ~/.config/dconf:ro
dbus access: ca.desrt.dconf
ind.ie.Gnomit.Locale/x86_64/stable flathub 38f3aacb783a
Is this ok [y/n]:
In a more user-friendly way this should also be shown when installing flatpaks via GNOME Software.
Comparison
You can take some ideas from systems like Android, where you get some screen like this for installing APKs, too.
Background
As https://flatkill.org/ explains:
Almost all popular applications on flathub come with filesystem=host, filesystem=home or device=all permissions, that is, write permissions to the user home directory (and more), this effectively means that all it takes to "escape the sandbox" is echo download_and_execute_evil >> ~/.bashrc.
So obviously they don't have to, but it's good to know, if users at least know something has access to their home directory or so.
Edited by rugk