@pastermil@linux the attack surface for something that isn't officially maintained by the developers, and that doesn't have more vetting (e.g. distribution packages) opens up room for malicious actors.
e.g. #arch / #aur recommends verifying scripts manually before installing, and malicious scripts have been found and removed.
There are actors like #jiatan out there. An unofficial #flatpak needs manual verification before install - that's why I just go with #snap if the flatpak isn't official