These updates are trying to communicate through port 80, HTTP instead of HTTPS.
Due to patents the openh264 library is directly fetched from Cisco, who doesn’t have HTTPS. We can’t do anything about this.
When I perform a flatpak update, 3 versions of org.freedesktop.Platform.openh264
openh264 is autoinstalled by the runtimes, it’s not usually coming from apps.
flatpak list --runtime --columns=ref | xargs -I {} sh -c 'ver=$(flatpak info -m {} | grep -E "^version = (2.5.1|2.4.1|2.2.0)$"); [ -n "$ver" ] && echo "{} $ver" || :'
will tell you which runtimes are pulling it.