Yes you’re right. Unofficial Flatpaks aren’t ideal and pose a security risk. Just like many convenience workarounds for apps that aren’t officially packaged, such as COPR, PPAs, AUR and the always great curl https://github.com/dev/repo/main/install.sh | bash. Not having a convenient way to install or update is a security risk too of course. You’ll probably end up with outdated software.

But both Flatpaks and the Wayland desktop have a focus on sandboxing as a security measure, and when implemented properly (official verified flatpak / app that uses the Wayland API), they can both increase security. In practice, yes, the weakest link is the problem of course. Hopefully soon, the vast majority of Linux apps will run either native Wayland or as flatpaks and that will significantly decrease the attack surface for the Linux desktop.