When Flapak installs an application as a user it does not prompt for a user password. If a machine is shared a non administrator could install a unauthorized application.
I would request that the administrator password is requested when installing an application in the same manner as “apt install” on Debian
You will need to raise that in the flatpak issue tracker, but I think it probably won’t happen.
No, this is expected, installing as a user does not require any password.
This will depend on the distro’s polkit rules, no? As such, indeed you’ll need to talk with your distro’s packagers or your friendly local sysadmin.
That’s for system installs, if the user is in the sudo/wheel group they don’t need to authenticate for system installs, user installs are passwordless as it affects only that user.