The need for a more granular security model has been apparent for some time. Browsers have demonstrated the value of site-centric security models. Modern operating systems like iOS and Android have demonstrated the value of application-centric security models. Flatpak offers an application-centric security layer on top of the legacy user-centric security model offered by our desktop operating systems. "No Fedora Flatpaks" means "no security improvements."
As the adoption of Fedora atomic desktops increases, Flatpak becomes a more critical channel for the delivery of applications. Fedora Flatpaks ensure that all of the applications that Fedora builds can be published to Atomic desktops, on all of the architectures that Fedora supports, without any gaps. "No Fedora Flatpaks" means fewer applications on some architectures.
Flatpak ensures that Atomic desktop users get all of the developments that are happening in Fedora. For example, Fedora ensures a consistent cryptography policy across all applications and libraries, to ensure that no software is silently providing weak assurances. "No Fedora Flatpaks" means inconsistent behavior from application to application.
Flatpak allows the project to decouple applications from the OS on which they run, so that applications can migrate to new platforms and libraries asynchronously (for stable-release dependencies). That improves the reliability of applications on Fedora desktops. "No Fedora Flatpaks" means fewer tools to deal with regressions.
Fedora takes a more secure approach to managing security-critical rolling-release components. We do not label components "supported" if there will not be any further updates as security issues are discovered. That is not necessarily true of other Flatpak publishers, like Flathub's KDE platform1. "No Fedora Flatpaks" means exposing users to vulnerabilities.
Are Fedora Flatpaks perfect? Of course not. We need more maintainers who care about desktop security to maintain Flatpaks... to work with users and with upstream developers to scope access controls appropriately, so that applications function as expected, but don't expose more of the host system than is necessary. There's work to be done, but the work is what brings us together. It's why we're here.