Using MEGAsync as an example, it has a few directories listed as “Can create files in the directory”; those are annotated as
:create in the manifest. However, this wording is misleading: the actual meaning of
:create access, quoting Sandbox Permissions Reference, is
read/write access, and create the directory if it doesn’t exist
Current wording on flathub implies that application will have write-only access to the directory; this may make users think that application can’t actually read files stored in there. This can lead both to users looking to manually switch to read/write access if they want application to be able to read those files and to users believing that their data is more secure (i.e. is not readable by the app in question) than it actually is.
I suggest to change wording to match read/write access more closely:
Can read and write all data in %s (will be created if it does not exist)