Linux definitely lags behind macOS and mobile operating systems with the maturity and integration of sandboxing options for GUI apps. Hopefully Flatpak (or XDG Portals with just a policy system or something) can fill that gap for most apps in the future.
And Linux users can typically expose themselves to the same shit as Mac users with Zoom here: when they grab proprietary DEBs for Discord or Google Chrome or whatever, those can run scripts that mess with the whole filesystem or call out to the internet at install time. It's only by convention that those behaviors are forbidden in the normal repos on most distros.
I don't love that the only repository-like option that's part of the normal system is the App Store, or that it doesn't come with an official CLI. I can see how some small proprietary software authors trying to make a living might resent being funneled toward a platform where Apple takes their cut, and I empathize. But for end users, I still think centralizing app updates into one system and taking the implementation details out of the hands of app developers/publishers is the only thing that makes sense, even if that always means going with the App Store.
Sure, you can use something like bubblewrap, but it doesn’t make applications easy to sandbox. E.g. how do you sandbox an application and still make it possible to use Open/Save dialogs.
You need to use something like portals like Flatlak does. But the Flatpak sandboxing model is clearly inspired by macOS and hated by a significant portion of the Linux community.
(Zoom should just be an App Store app, not a crappy installer.)