Apply system crypto policy to flatpak

In Silverblue/Fedora 33, I created an IMAP/SMTP account in GOA but system-wide flatpak org.gnome.Evolution (fedora repo) refused to open that mailbox:

The reported error was "Failed to get capabilities: Error performing TLS handshake: A packet with illegal or unsupported version was received.".

I know this relates to:

I had a similar problem with another non-flatpak program, and it would run properly after changing my crypto policy:

$ update-crypto-policies --show

Within an Evolution container, crypto policy remains “DEFAULT”, so I tried various things to no effect:

  1. flatpak run --env=G_TLS_GNUTLS_PRIORITY=LEGACY org.gnome.Evolution
    (Actually, if I ran ldd against all shared objects descending from container’s /app, and nothing links directly to gnutls but I do see references to libssl)
  2. sudo flatpak override --system --filesystem=host-etc:ro --filesystem=host-os:ro org.gnome.Evolution
    (no change after opening Evolution thereafter)
  3. flatpak run --filesystem=host-etc:ro --filesystem=host-os:ro --command=update-crypto-policies org.gnome.Evolution --show

It seems as if crypto policy is always inherited from Evolution’s runtime (org.fedoraproject.Platform/x86_64/f33).

Is there a way around this?

Quoting flatpak-metadata(5):

           The host operating system's configuration from /etc.

           To avoid conflicting with the Flatpak runtime, this is mounted
           in the sandbox at /run/host/etc.

So I guess this behavior is by design.