Piggybacking on Question1:
Can a flatpak distributed via flathub include code which is run with UID 0 during a flatpak install or flatpak update?
This is typically the case with platform native packages, usually in the form of pre- and post-install scripts in the package, even for software which never itself runs with elevated privilege.
My personal preference for desktops, which accounts for all flatpak use, is to use only per-user installs. In addition to separating the application files from the OS, it precludes any flatpack interfering with the OS - from the innocent littering of files to the insidious deployment of UEFI rootkits.
The applicable trust model(s) and threats can become quickly complex, so this provides no blanket protection against other categories of threats from snooping audio and video inputs to exfiltrating ~/Documents/passwords.csv, though flatpak’s permissions model provides some relevant access controls.