> Upstream developers cannot be trusted to update dependencies on a timely basis.
And the current system, even without Flatpak, doesn't force them to. You're not arguing against Flatpak, you're arguing against decentralized app distribution in general.
You are already living in a world where upstream developers can decide to distribute their software using channels that distro maintainers can't control, update, or patch.
Flatpak changes nothing about that arrangement, it merely acknowledges that the problem exists and tries to make it slightly better. The alternative to Flatpak for a lot of Open Source devs isn't an official Debian package, it's a tar.gz file, which is just objectively worse.
OP has just provided concrete examples of those problems appearing in the real, existing public repos for Flatpak.
This is not surprising.
It has turned out exactly as expected: Upstream developers cannot be trusted to update dependencies on a timely basis.