Yes, this is what GNOME Boxes uses.
See: 1284447 – libvirt group is unauthenticated root equivalent.
There are “options” to escalate from system libvirtd access to full root on a system.
No. Fedora defaults to system installed Flatpaks.
Any (in)security claim must come with a threat model otherwise they are security theater.
The installation location does not determine what a Flatpak application can do. Neither system installed Flatpaks nor user installed ones can do privileged operations.
This is not the default use case for Fedora. This requires configuration.