I held a talk indirectly related to this at the last Fedora London Meetup, but from the perspective of economics/competition and social dynamics 
It is indeed not a good idea to ignore that, and I agree with Michael for economic reasons: if we create/keep the condition that issues have to be solved before a big community like Fedora (effectively) migrates in its flatpaks, we create incentives to solve the problem, and of course that should go along with helping to solve the problem and provide solutions (obviously there is a reason why they do not yet solved that).
But if we just migrate, there is no longer an incentive to solve the issue from us, and the immediate emphasis might (maybe even needs to) shift to other problems (such as getting the next community on board as Fedora is considered a “done” task). However, the next community in focus might then also deploy a focus more on “getting more users respectively packagers on board through more respectively easier-provided apps” rather than consider security issues. And so on and so on → that way, this issue will remain on the To Do list, maybe even of everyone, but it remains untackled and unsolved, as it never comes into emphasis (every entity will always focus their resources on their perceived most critical problem).
That said, we also have issues in Fedora in our packaging, and as much as I trust the packages that are reviewed or maintained by the big WG (and I consider KDE here practically as a WG), we leave the path of reliability when we end up at the packages that are 1 of 2000 of one maintainer, who might not identify the issue when their automated pipeline is broken. I don’t know how many packages I have over time identified that have not been updated sometimes for years, in one case one with a CVE (though a minor one). Not sure if the LXQt spin got in the meantime an update to a LXQt environment that is maintained rather than an obsoleted version of LXQt.
So with all that in mind, I could imagine that flathub is the future, and its problems might be easier solved from a holistic point of view than that of Fedora packaging (including the amount of packages and the pressures to often keep stuff that we cannot reliably maintain due to lack of personnel contributions while users are being expected to want them), and it is worth to support flathub and set the goal to make flatpaks defaulted to them, but I don’t think we should bypass issues as those mentioned here.
By the way, I am just testing flatpak since a few days (I am completely new to that so I am careful with involving myself too deep into this conversations given a lack of flatpak experience and lack of time to read all policies around it), and beyond the warning of obsoleted runtimes, I still get no warning if a package is not verified (unless I know how and where to search, have sufficient background of such technologies and therefore end up and read the page in order to get to know --subset=verified
). I think the unverified issue is indirectly already part of the conversation through some of the comments above (e.g., the comments related to always use the source), but I thought it might be mentioned more explicitly for once. That issue imho should be on the “to do before migrate” list too (and, e.g., if flathub use increases throughout communities while having means to discourage installation of unverified flatpaks: having in that situation no verified VLC, as at the moment, might also put some incentives for the VLC maintainers/community to provide a verified version to get their product back in use rather than accepting a third-party-bad-practice-solution that then would cause a decreasing use of VLC because “unverified”)
I am aware that I simplify some things, but I thought it might be useful to add these points to be considered more explicitly at least on a superficial level
Anyway, thanks everyone for the interesting thoughts and the constructive conversation, I try to keep skimming through it, as much as I can spare time
(you might forgive me if I accidentally repeated something already mentioned, I could only skim through the 125 posts
)