Attacker will steal your browser cookie the same way it does without flatpak.
If you have poor security hygiene and bad habits, flatpak nor anything else will save you.
I feel personally attacked. Yes I've actually done this (minus sending them money). I had a server (that I am pretty sure sent headers to the effect that it ran x86) which had some logs indicating someone had tried to download an arm IOT botnet onto it. So I downloaded it and tried running it through a decompiler. I found a UPX stub. The rest was compressed. So I tried the UPX unpacker. This didn't work because it was built with a modified copy of UPX. So I hauled out a raspberry pi, reflashed the OS and tried running it in GDB in hopes of just dumping the unpacked bit from memory. Nothing. So I downloaded qemu and set up an aarch 64 arm 9 image still nothing. So I tried 32 bit arm again in qemu. At this point I gave up