Yes, and I would add flatpak ensure security issues are never looked at. I believe if something in flatpak has a security problem, it will never be addressed.
Why, because it is in a flakpak and is separated from the OS, so the issue just sits there. This could end up being a problem for distros not using flatpak and for that matter the BSDs.
This is absolutely a false assertion. If your distro integrates flatpak then you will be prompted to update the runtimes. If you manually installed it then it’s on you to update things.
Now if the dev bundled deps then yes there is the possibility that they neglect to update those. But this situation is improving as runtimes add more popular deps, baseapps are also a new way to share bundles of deps which could reduce that burden. Repositories can also scan flatpak manifests and flag issues too.
Why, because it is in a flakpak and is separated from the OS, so the issue just sits there. This could end up being a problem for distros not using flatpak and for that matter the BSDs.