While I'd like for more portal-based file access integrated in applications, with flatseal you can pretty easily adjust what folders/files a certain flatplak application can access. E.g. I can limit firefox to only the ~/Download & ~/.mozilla directories, instead of the whole of ~. It also allows for configuring stuff like X11, wayland, network, printing and more.

There's obviously much more to do, but it already prevents many things like a pdf.js exploit being able to copy my ~/.ssh, without having to resort to some really clunky solution like a VM.