This often means unofficial builds that aren’t from the developer that sometimes have sandbox specific issues the devs didn’t contemplate because they don’t actually do flatpaks. If someday the random bob who is neither the original developer nor some trusted individual connected to the distro is hacked they may push out a malware enabled update that pwns all the people who automatically update in short order. This doesn’t seem like a security increasing feature.