That is an interesting one. I also use flatpaks on an exception based. However, when I do use them, I only use them if they are provided officially by someone directly associated with the publisher/project/company.
I don’t use the Steam flatpak because it is packaged by an individual and reviewing the source on every update is far more work than with an AUR package.
I am not reviewing source code of any package. Besides, what does “review” actually mean?
That is not true. Flatpak applications are sandboxed and isolated from the OS to a certain extend. Also you can manage application permissions. If you have a trusted source for an flatpak application, it is usually more secure than the same application from the AUR because of that.
When the software maintainer/developer says to use 1 over the other. My advice is to research and find out what the best practice for your needs are as everyone had their own use case and needs
I suppose @dalto referred to the source of the original package, the one being downloaded and eventually built when opting for AUR or the one being packaged as Flatpak…in Steam case, whether it comes directly from Valve servers or not
No, I found few programs available in flatpak or snap that were not in the AUR.
while I normally prefer AUR, this approach suggested by @smokey is the one I tend to adopt as well…one of the few examples for me is Bottles (gtk frontend to Wine): devs originally provided an AUR package as well, but after few versions they kind of discontinued the maintenance of the PKGBUILD directing users towards Flatpak. Following several errors in the building process which I wasn’t able to solve, I surrendered and gone the devs way.
I can’t program so I can’t review any source code. however I currently only have packages from the official repositories installed and the AUR. So by using the official repositories I would think you put your trust in the Arch Linux developers and packagers, the only thing I review before installing or updating is the PKGBUILD of the AUR package I have installed on my system.
Oh, it definitely true that the AUR is more secure. Flatpak sandboxing means absolutely nothing in practice if you have a malicious or incompetent packager (which is always the main concern with third-party repos). It is even worse than nothing, actually, because it gives you a false sense of security.
The fact is: you have no idea what is inside a flatpak, because it wasn’t you who packaged it, regardless of sandboxing. If you are going to use a flatpak, you better know the packager and trust in his honesty and competence the same way you trust the Arch TUs, i.e. with potential root access to your machine.
With the AUR, if you care to know, you know everything about it. You are the one who is packaging it, so you don’t need to trust anyone except your own judgement. Therefore, the AUR is vastly more secure than any other software repo. It’s actually the highest security that is practically possible. It just requires you to be attentive and care about it, and not just do yay package and blindly press Enter a few times. If used in such a cavalier manner, the AUR is definitely not secure.
It is the same with open source as whole: It CAN be more secure, but this added security is not inherent or automatic, but depends on the user. The user may decide to use it in the way it is “meant to be” or can use it like he would use a windows system, blindly trusting anyone. In reality it is somewhere in between - I doubt that many users of the AUR check EVERY pkgbuild they do (just because it’s inconvenient with packages which are regularly updated), but I also asume that many at least check the builds once in a time.
I, personally, try to avoid anything that is not official repo, and try to avoid AUR. I only use flatpak if there is no other way, and would never use snap or appimage. Because I hate spyware, that is.
He said :
If you have a trusted source for an flatpak application, it is usually more secure than the same application from the AUR because of that.
I consider it’s safe if the flatpak is official from upstream. Who, in their right mind would install a flatpak from unknown place/repo.
Sure, but you should at least check the AUR website for every package. See the popularity of the package, and if the package has been orphaned recently and if someone took over the maintenance. You know, basic things that raise alarms. If some package is very popular, and the same person has been maintaining it for years, the chances of something malicious suddenly being introduced are fairly low. But if someone new took over a very popular package, be extra careful. Read comments, upvote good packages (to potentially include them in the repos), etc… Be responsible about it.
In the end, the safety of the AUR is up to the user. It is the user who has full control and responsibility.
That’s assuming that the upstream is honest and trustworthy. It certainly doesn’t have to be. Micro$oft and Goolag regularly insert spyware into their software. For proprietary software, you have no choice except not use it, but for open source, you do have a choice of where you want to source it from. Even with compiled binaries, you know where they are downloaded from, and you can decide whether you trust it or not.
For example, VS Code from the Arch repos (and VS Codium from the AUR) is vastly more secure than a flatpak from Micro$oft. Same thing for Audacity, the people who develop it are absolute crooks, but there are community forks that are safe.
Could you stop with this BS, we’re talking about any source, in the AUR we have some binary stuff, you can’t check the source.
That is a highly subjective view. In the end your statement is still false, because there are security advantages using flatpak. That is simply the truth because of the different concepts of flatpak and the AUR. The AUR does not have a sandbox environment and cannot deal with permissions. That is an advantage of flatpak.
AUR packages can hide malicious code everywhere and it’s nearly impossible for a sane person to make sure they don’t. The difference, especially for official flatpak packages, is, they are usually made by the official project maintainers, while the AUR packages are often made by third party individuals.
I always trust official projects more than a random dude on the AUR.
You answered the wrong person. 
I always use the wrong reply button…
That’s not true. Whenever something malicious gets into the AUR, it’s usually noticed within a few hours, at most days. I’ve never heard of malware being included in the AUR that took months before it was discovered.
Flatpaks decide the levels of sandboxing. A malicious packager can bypass that. Sandboxing is absolutely meaningless in that case.
Sandboxing is useful when you have software that you know might be malicious, yet you still want to run it, and the packager is completely benevolent and wants to make it more secure. This is often true for… well… 
shared software with copyrestrictions. In that case, Flatpak definitely makes sense (though I wouldn’t encourage anyone to break any laws, I would never, officer, trust me 
).
Like I said, often, a third party is more trustworthy than the official developers, especially for “freeware”, and especially for software that comes from developers who have proven again and again that they are malicious, like Goolag and Micro$oft. It depends from one case to another. I’m not saying that there aren’t trustworthy flatpaks, of course there are. What I’m saying is that Flatpak is not at all a transparent packaging system, while the AUR is fully transparent.
Let us simply put it this way.
If I install the Spotify package in flatpak, it has security advantages over the AUR version. As a user I can even strip the flatpak app of permissions after or while installing the flatpak package. That is an advantage compared to AUR packages.
Also, while installing, you get the notification of what permissions the package will have after installing it.
And in the end the app simply cannot bypass the permissions by itself. At least I can’t find a source that says otherwise.
We can talk all we want, but flatpak simply has pretty good security advantages over the AUR.
Yeah, but Spotify is proprietary spyware anyway, why would you even want to install that? It’s a really bad example.
Sure, in that one case, when you want to run malware (I guess you enjoy being abused by DRM 
), Flatpak makes more sense. However, if you sandbox it properly, it won’t even work (it needs an internet connection, doesn’t it?).
Because people may want to use Spotify. Use any other package then. There are enough packages out there that people may want to use. Many don’t need internet access for example, are open source and verified. For that we can simply choose to use the flatpak version and can be sure they won’t access the internet.
On top of that, the packages will most likely work independently of arch packages, which is another advantage.
Overall, let us simply say, flatpak has security advantages, because it obviously has. On top of that is has other advantages, which, for many users, outweigh the advantages of the AUR.