Shit missing internet got my comment deleted…
Appimage is not a neutral packaging format. Of course “an app packaged as .zip is as secure as packages as .tar.gz”. But the format causes all the things mentioned in the post.
- libraries are often the oldest non-EOL possible to support old kernels
- no transparency about used libraries and possible vulnerabilities
- no upgrades of libraries, always just the wanted app and then passively also the libraries
- no sandboxing without firejail (which is a root binary and thus can lead to privilege escalation of rootless processes if it has a vulnerability which it had in the past)
- no GUI sandboxing
- even with a repo no cryptographic signature verification like on Android (not sure about Flatpak which uses OSTree)
- requires users to execute code in random locations
So it is way less secure than Flatpak, thats a fact. It may not be worse than tarballs, but if those dont include the libraries even less secure than them.