Because it’s not the same thing. Not even close! Anyone can be an official flatpak packager. If I want to make a flatpak for my game Snek
, I am the official packager. You have to trust me if you’re going to use that flatpak (which effectively turns Snek
into proprietary software!). If I put the PKGBUILD for Snek
on the AUR, you don’t have to trust me at all, you just have to be sure to check what you’re installing.
If you use the official package VS Code flatpak, you have to trust Micro$oft. For every flatpak, it’s potentially a different packager. This is potentially thousands of people you need to trust. You need to decide for every flatpak whether the packager is trustworthy or not.
With the official repos, it’s only a handful of people (sixty or so) which you trust anyway if you’re using their operating system. Given that the average Arch Linux system contains close to 2000 installed packages, that’s not such a big number of people you need to trust.