Just from a quick glance at your flatpak perms (directly ctrl+f'ing for this specific perm bcs it's often made as a mistake) you are ALWAYS granting permission to both the Wayland and X11 sockets when such exist. Per https://docs.flatpak.org/en/latest/sandbox-permissions.html#permissions-guidelines you should be using fallback-x11 instead which only grants x11 access if on an X11 session wherein Wayland is thus unavailable.
This prevents a small hole in security, and reduces the attack surface in an easy way for most applications.
Just from a quick glance at your flatpak perms (directly ctrl+f'ing for this specific perm bcs it's often made as a mistake) you are ALWAYS granting permission to both the Wayland and X11 sockets when such exist. Per https://docs.flatpak.org/en/latest/sandbox-permissions.html#permissions-guidelines you should be using
fallback-x11instead which only grants x11 access if on an X11 session wherein Wayland is thus unavailable.This prevents a small hole in security, and reduces the attack surface in an easy way for most applications.