If you run your npm install in a properly set up container (and at some point in the future, Flatpak will set this up for you), it isn't going to do much. Yes, I'm well aware that containers should still be tought of as "not a real security boundary" given the amount of remaining attack surface, but even then the Android approach is not very different.