3. What's wrong with apt/yum/zypper/pacman or whatever Alpine uses that they want to go for flatpak? Why O(n) copies of libstdc++? (if my understanding of flatpak is correct) Who is going to update the dependencies when there's a CVE?
Flatpak uses OSTree to distribute and manage applications and runtimes. The repo/ in the above tree is the local OSTree repository. Flatpak creates the active/ directories of applications and runtimes as symlinks to OSTree checkouts (in the same directory). Using OSTree has the advantage that the checkouts are automatically deduped and share diskspace, since OSTree is using hardlinks and content-based addressing. OSTree also makes it easy to roll back to an earlier version, should the need arise. But the definition of the filesystem layout for applications and runtimes and the sandboxing implementation are not tied to OSTree in any way, and it is very possible to distribute runtimes and applications with a different mechanism.