I don't think it's so much "ugly truths people try and sweep under the rug" as "we do not yet appear to have a practical way to actually do anything about it without vastly reducing the usefulness of the system". There are ways to improve things a bit with your choice of sandboxing tech, but those are frequently either ineffective (oh good, an attacker who compromises can only get to my bank account, but not my SSH keys), high-friction (flatpak portals are cool so long as you don't mind manually approving all file access), or both.
> flatpak portals are cool so long as you don't mind manually approving all file access
And by “manually approving all file access” you mean “opening the file in the file picker like normal”, right? There are some apps where using a file picker at all is awkward, but I’d argue in most applications it’s basically what you’d do anyway. Certainly most applications that non-developers would use.
The bigger problem is that lots of Flatpak applications still don’t use portals.
I remember my first time using a photo application in a flatpak, I had no idea how to get images it saved to a place I could then upload with my browser. It was rather frustrating.
