I would not offer any option to enable the full Flathub library. What I would do is change the existing “enable third-party repositories” setting to an “enable searching for proprietary software” setting; that would allow searching for the proprietary subset of Flathub. Open source software that is not built from source should be just entirely unavailable, unless you go to Flathub’s website and follow the command-line instructions to build it.
Flathub doesn’t currently have a subset for “open source but not built from source,” so this would require changes on Flathub’s end to implement. (I don’t think we want to use fedora-flathub-filter for this.)
Fortunately, I can confirm that Fedora Legal is fine with us enabling all of Flathub. We have no legal restrictions here whatsoever.
These apps’ appstream metadata indicates that they are considered open source. And that’s not entirely unreasonable, because they are open source. We just have to hope that whoever built it is not malicious, and that their computers are not compromised.
I only have this list of a few examples, not statistics. We need to be confident that we know of ALL such examples.
Note that I’m not worried about stuff like Firefox that has its own trustworthy build infrastructure separate from Flathub. (I’m not sure about OBS Studio; we’d need to evaluate that one carefully.)