Shit missing internet got my comment deleted…

Appimage is not a neutral packaging format. Of course “an app packaged as .zip is as secure as packages as .tar.gz”. But the format causes all the things mentioned in the post.

• libraries are often the oldest non-EOL possible to support old kernels
• no transparency about used libraries and possible vulnerabilities
• no upgrades of libraries, always just the wanted app and then passively also the libraries
• no sandboxing without firejail (which is a root binary and thus can lead to privilege escalation of rootless processes if it has a vulnerability which it had in the past)
• no GUI sandboxing
• even with a repo no cryptographic signature verification like on Android (not sure about Flatpak which uses OSTree)
• requires users to execute code in random locations

So it is way less secure than Flatpak, thats a fact. It may not be worse than tarballs, but if those dont include the libraries even less secure than them.