They only cover the user-facing app part of the story. The rest of the system needs isolation and safeguards, too, including things like the desktop environment and whatever random daemon.

A solution that's integral to the system and not just loosely taped on is required.

Flatpak provides very weak sandboxing compared to android. It was more about packaging and distribution than security.