Debian 13:
$ uname -r
6.12.88+deb13-amd64
$ snap debug sandbox-features|grep confinement
confinement-options: classic devmode
$ snap debug confinement
partial
$ aa-enabled
Yes
Ubuntu (24.04):
$ uname -r
6.8.0-117-generic
$ snap debug sandbox-features|grep confinement
confinement-options: classic devmode strict
$ snap debug confinement
strict
$ aa-enabled
Yes
What does this mean, you ask? Well, basically every Snap package you thought was running isolated in it’s own little sandbox were running unconfined the whole time. The prorpietary app you removed the :home connection from, so it wouldn’t be able to access your home directory? Well, it could have exfiltrated all our private files in the meantime.
How is this not a bigger deal and how are Snaps ever to become mainstream when even today, more than 10 years after the introduction of snaps, you can’t run them sandboxed on a huge portion of Linux distros?
Last time I checked the Snap Store was proprietary. While you could modify the Snap client, you can’t host your own store and you’re at the whims of Canonical for which apps you can get.
Meanwhile, both the Flatpak client and server are open, and you could (and some distros do) host your own repo. For example, Fedora has its own repo for Fedora-packaged Flatpak apps alongside Flathub.