Why is full $HOME access default?

For every flatpak I’ve installed so far full $HOME access was default. Is this really the status quo? Can’t flatpak be made to work generally well with a default deny rule? Can we change the default to deny all new flatpaks from having access within $HOME unless explicitly granted? This would give credence to flatpak being a sandbox, but so few actually get Flatseal and configure it that “sandbox” seems to be a misnomer. Perhaps “can be sandboxed” would be fair until full $HOME access isn’t default.

A lot of application don’t work without said permission.

Look at Flatseal if you want to break them. Flatseal | Flathub

They could easily be made to… For example if they only need access to a $HOME/.config/file - then only give them access to that. No reason for them to break unless they have access to ~/.config/autostart or ~/all_my_files…

So much of the flatpak system is already sandboxed… The drivers, libraries, and basically everything the app needs is installed. But then why leave open the most important access (your home filesystemm) which could easily also be worked around?

It’s up to whoever packaged the app to set those permissions. If there’s a specific app with permissions too vague, you may want to raise an issue on their repo: Flathub · GitHub

Flathub itself is in a bit of a catch-22: No one will use Flatpaks if apps are constantly sandboxed to the point of being broken, but developers won’t spend the effort to make their apps sandbox-able if no one uses Flatpaks. For this reason, a lot of older apps especially, simply have access to the full $HOME

That makes sense. I wonder if there is a way to generally encourage maintainers to try to get it working without $HOME access. Usually apps just need a place to download files to, which could be a per-app dir with explicit access

There is a good post about this subject: