Access scoped to a directory is a big improvement over an unsandboxed process. Any unprivileged program can trivially steal your browser sessions by reading your profile dir, but with Flatpak it would be possible to only grant it access to your "documents". I don't know if this is currently done in practice though, or if it's still common to just grant it full access to ~, including dotfiles. Even if so, the technology is there, showing a clear route to improvement