Maybe it's about time we break backwards compatibility and get rid of all dotfiles in ~ and move them to say .local/share/software_name and then start restricting access to those folders?

But I still want to be able to use my Flatpak VsCode to edit config files in .local or .config, and I still want to use my Flatpak Gimp to edit images in .local/share/icons.

The chances of those things happening are rather low for the average user a prompt would solve those and would be a way better solution that just allowing full access to ~ and any dotfiles.

There are a WIP portals that would instead of giving access to the whole filesystem or the whole devices list a prompt for the user to allow access to a specific device or a specific system feature. Let's take for example a Music player, you can give it access to `xdg-music` folder only. But the users will start complaining about the fact their music is stored somewhere else and they would want a full access to their home folder or to the devices list to play music from an external hard drive or whatever. Things are not perfect yeah, but many of those apps were not made with a sandboxed env in mind. There are a bunch of new apps that were created with that in mind and use those portals features. Things are getting better, slowly maybe but surely! The Flatpak packages will improve with time and we will be getting a better way of distributing apps safely and easily on Linux.