This is kind of a bad comparison. Theoretically, malicious authors could sign their Flatpak packages and Flatpak could verify it with cryptography. It doesn't matter if you're downloading a "crypto-wallet" that's really just a phishing exercise.
That's why they put their public key fingerprint on many distinct domains, and users can import them and pin them. Flatpak doesn't support this. Apt does.