Having a closed source backend isn’t the reason for malicious packages. There’s a clear distinction between official and unofficial packages, and flathub isn’t immune to this either.
In comparison to flatpak, each runtime (core[number]) is supported for 10 years, so developers aren’t pressured to update it if the app keeps working. The side effect is that over time you will end up with a few extra core snaps on your system but the peace of mind for the maintainers is worth it imo.
Having a closed source backend isn’t the reason for malicious packages. There’s a clear distinction between official and unofficial packages, and flathub isn’t immune to this either.
In comparison to flatpak, each runtime (core[number]) is supported for 10 years, so developers aren’t pressured to update it if the app keeps working. The side effect is that over time you will end up with a few extra core snaps on your system but the peace of mind for the maintainers is worth it imo.