Security difference between --user and --system Flatpaks?

I have a single user system.

When a user is in the flatpak group they are allowed to manage systemwide Flatpaks. This allows granular control, does not require wheel access and allows to exclude users for “child protection” or similar.

I know only one app that must be installed as a system Flatpak, “GPU Screen Recorder”, because it requires some hacky privilege escalation.

I wonder, why can only system flatpaks do that? Is there any security benefit of using user flatpaks?

I switched back from using user flatpaks, as I had duplicate libraries and wanted to slim down my system.

Are there any benefits on a single user system, for security alone, to use user Flatpaks?

There is no difference to security.

--system will make the app install to /var/lib/flatpak and make it available for every user on a system

--user will install it to a particular user’s home directory and only available to that user.

A system install does not give a flatpaked program extra privileges than a user install.

1 Like

Because it uses a hacky privilege escalation. It has nothing to do with being a user or system installation but with being runnable by root which is only possible if it’s installed into a installation accessible by root.

1 Like