I mean, there's an argument that this is worse. If a security bug is found in libc, in the "old world," your distro would have an update out in a day, and you'd be completely safe. With flatpak, you also depend on whoever's maintaining the GIMP flatpak (and all your other apps), who may not be motivated to do updates any faster than GIMP's normal release schedule, potentially leaving you vulnerable for much longer.
> your distro would have an update out in a day, and you'd be completely safe
If you do not restart your services after updating the package, your services continue to run against the exact libs they were started with, even though the library is updated on disk and anything new that starts will use the fixed version. For something like the libc, that is pretty much every service bringing it in and still running the unpatched version of the library.
Updating distro packages is of course usually a good thing, but alone it does not make you "completely safe".
Also they have a patched version "in a day" because they embargoed public release of the vuln details usually for months, creating a gap where a (growing...) set of people know a secret that can compromise your system and you don't. When I get that update I don't feel "completely safe".
And for a lot of smaller apps, they're unable to realistically support being distributed in many different distributions. Flathub is cross-distro and easier for the app author/developer/maintainer to support.
Is it perfect, no... is it actually much more secure, not usually. All of that said, is it available in pretty much every linux distribution and often a newer version than what would be in the repositories, absolutely.
This is also the case for server containers, and I do worry about the day that some critical low level library that is in thousands of containers has a security bug. Yes, many shops are using CI to push out new containers regularly. Others are deploying containers from third-parties, without any regular updates or path to fixing security problems.
