Or actually do anything useful? No network, no filesystem.. it's a hello world app isn't it..
No filesystem access for a flatpak app just means it cant read host system files on its own, without user permission. You can still give it files or directories of files through the file explorer for the app to work with, just that it's much safer since it can only otherwise view files in its sandbox.
Which is fine for some apps, try that with an IDE.
Why does an IDE need unfettered access to my whole FS? Access to the project directory, and maybe the runtime directory, have to be enough.
To be fair, the title says more apps, not all apps..
Doesn't work for all applications but for many sand boxing is possible without a loss of features.
There's Obfuscate, an image redactor, and Metadata Cleaner which is self-descriptive. Both works properly without any filesystem access at all, because they use the file picker portal to ask the user for the files to be processed.
Or actually do anything useful? No network, no filesystem.. it's a hello world app isn't it..
No filesystem access for a flatpak app just means it cant read host system files on its own, without user permission. You can still give it files or directories of files through the file explorer for the app to work with, just that it's much safer since it can only otherwise view files in its sandbox.
Which is fine for some apps, try that with an IDE.
Why does an IDE need unfettered access to my whole FS? Access to the project directory, and maybe the runtime directory, have to be enough.
To be fair, the title says more apps, not all apps..
There are portals: https://docs.flatpak.org/en/latest/desktop-integration.html#portals . they allow secure access to many features. Also any flatpak app still has access to a private app-specific filesystem, just not to the host.
Doesn't work for all applications but for many sand boxing is possible without a loss of features.
There's Obfuscate, an image redactor, and Metadata Cleaner which is self-descriptive. Both works properly without any filesystem access at all, because they use the file picker portal to ask the user for the files to be processed.
Portal.