Try this to manage application permissions: https://flathub.org/apps/details/com.github.tchx84.Flatseal

It's not really that bad. You are told the permissions requested by an app on installation:

  $ flatpak install flathub com.microsoft.Teams

  com.microsoft.Teams permissions:
      ipc     network     pcsc     pulseaudio     x11     devices     file access [1]     dbus access [2]     tags [3]
  
      [1] xdg-download
      [2] org.freedesktop.Notifications, org.freedesktop.secrets, org.gnome.SessionManager, org.kde.StatusNotifierWatcher
      [3] proprietary


          ID                           Branch          Op         Remote          Download
   1.     com.microsoft.Teams          stable          i          flathub         < 86.0 MB

  Proceed with these changes to the system installation? [Y/n]: 

and you can query an apps permissions at any time:

  $ flatpak info --show-permissions com.discordapp.Discord

  [Context]
  shared=network;ipc;
  sockets=x11;pulseaudio;
  devices=all;
  filesystems=xdg-download;xdg-pictures:ro;xdg-videos:ro;home;

  [Session Bus Policy]
  org.kde.StatusNotifierWatcher=talk
  org.freedesktop.Notifications=talk
  com.canonical.AppMenu.Registrar=talk
  com.canonical.indicator.application=talk
  com.canonical.Unity.LauncherEntry=talk

GNOME Software in GNOME 41 also has a much better list of permissions than the version shown in this article.

https://blogs.gnome.org/tbernard/2021/09/09/software-41-cont...

> x11 does not have a security model - any client can observe and manipulate any other client

This hasn't been the case for decades. X has the ability to isolate clients and/or only allow partial access to other clients. For example try this:

    $ xauth -f lockthisout generate :0 . untrusted
    $ XAUTHORITY=lockthisout xterm

The first line generates a new X authority file with a single entry that causes the display :0 to be untrusted. Then whatever runs inside xterm (or whatever you launch) will be considered as untrusted, e.g. you wont be able to run any OpenGL application or xdotool (it actually crashes after saying the XTEST extension isn't available, i guess it can't handle that case).

Note that this can be worked around by running "export XAUTHORITY=~/.Xauthority" since pretty much everything uses ~/.Xauthority for the local user (which is connected as trusted). This one can also be addressed by storing the session X authority file somewhere else (AFAIK some distros generate a new randomly named one for every session), or you could use something like AppArmor or SELinux to restrict the untrusted application's access to the session's X authority file. Or just run it as a different user who is always untrusted, though that can be inconvenient for some types of applications.

That said there are some issues, mainly because the whole X security functionality hasn't seen much attention in recent years. For example an untrusted client can't use 3D accelerated graphics but you may actually want to run a 3D app while not giving it access to everything else. Though that isn't due to some inherent limitation of X or whatever, just that since it never gained much attention (since the entire GUI sandboxing thing was never much of a priority) nobody bothered to work that part out.

In the future it might just be better for X desktop to be running untrusted applications under a Wayland "pseudocompositor" that simply lets X handle the actual window management (current Wayland compositors that can run under X create a window and treat it as a display which isn't exactly nice from a UX perspective and doesn't allow -trusted- X programs like xdotool work with Wayland windows).

> right now, you have to check the JSON file you linked to check how much access a flatpak program gets

In general, GUI package managers w/ Flatpak support show you the permissions, as does the CLI upon an attempted install.