Yea im pretty sure flatpak suports bundles that you can install directly, just like an appimage

If OP is a journalist or refugee at risk of being targeted and killed, my advice is don’t use a VPN, use TOR lol.

Not untrue, and I don’t think that the possibility should be glossed over, but honestly, what do you think is more likely: this specific person getting specifically MitM’ed by a bad actor, or a bad actor taking control of a repo that hundreds of people blindly trust. I have a sneaking suspicion that OP’s threat model isn’t sophisticated enough to need to really, truly, be worrying about that.

What are you on about? If you are using the 3rd party repo, you are just as likely to get malware than if you download the deb directly from the wbsite. Its literally the same thing, just adding the repo means that the malware could get installed automatically and without you knowing where it came from.

I just had to switch my work computer from Arch to Ubuntu becusse they want MDM on all computers now, and flatpaks are litetally the only reason i can tolerate it.

I now prioritise getting stuff from flatpaks, then the repos, and if they dont exist i use Distrobox to export any app thats only on the AUR for example.

Just setup cert-manager for a client at our work thats moving to a Kubernetes cluster. Setup the ACME issuer using DNS Cloudflare challenges, its awesome how simple it is to even get internal hostnames with certs.