security:
That’s a general computer security question and unspecific to Whonix / Kicksecure.
From perspective of Debian, Flatpak is a third-party package manager.
generally:
(Whonix is based on Kicksecure.)
Specifically on flatpak and flathub:
Install Additional Software Safely chapter Flatpak in Kicksecure wiki
new wiki chapter written just now:
Install Additional Software Safely chapter Flathub Package Sources Security in Kicksecure wiki
So I would say it depends on the specific application being chosen.
- Who created the flatpak (publisher field on flathub)? The original developers or a third-party?
- Has the flatpak been created from source code or is it a repackaged binary?
- Has the flatpak been built by flathub or by a third-party?
- Freedom or non-freedom license? (Open Source or closed source.)
https://www.reddit.com/r/flatpak/comments/w7dm0c/who_builds_binaries/
stream isolation:
As for stream isolation, that isn’t simple even when not using flatpak. → Stream Isolation chapter How to mitigate identity correlation in Whonix wiki
When using flatpak, that could be even harder as torsocks might not support flatpak because is using its own sandbox which might quite conceivably break torsocks.
Stream isolation isn’t a simple yes/no thing. Multiple different Whonix-Workstation are stream isolated from each other but not every custom installed application inside Whonix-Workstation can be automatically stream isolated.
This is unrelated to apt, deb, manual installation or flatpak.
It’s a complex topic.
related:
1 blocker without considering further for now:
element is not available from packages.debian.org. related:
related: