* Exfiltrate personal data from allowed Flatpak directories
* Steal data you intentionally open via portals (e.g., documents, password files, wallet backups)
* Store malware or persistence files inside the Flatpak sandbox
* Use network access to phone home data or join botnets
* Abuse CPU/GPU for crypto mining
* Delete or modify files in your home directory if granted --filesystem=home
* Read browser cookies, auth tokens, SSH keys, cloud credentials if home is exposed
* Install persistence via ~/.config/systemd/user/ services
* Global keystroke logging on X11
* Screenshot entire desktop on X11
* Inject fake input events to the system (mouse/keyboard) on X11
* Record screen via portals if user once granted permission
* Gain full FS access if granted --filesystem=host
* Abuse DBus to change system settings or trigger polkit actions
* Install software outside the sandbox (e.g., ~/.local/bin or autostart scripts)
* Interact with hardware via /dev if granted --device=all
* Trigger kernel or driver privilege-escalation vulnerabilities
* Load or execute unsafe third-party mods, DLLs, or anti-cheat binaries
* Malicious patchers or mod loaders downloading external payloads
* Replace shell history or alter aliases to hide malicious activity
* Encrypt local or network-mounted files (ransomware)
* Spread laterally via stolen SSH keys to other machines
* Manipulate GPU/driver calls for rootkit-like persistence
* Abuse Wine/Proton compatibility layers to escape sandbox using native loaders
* Modify dotfiles (.bashrc, .profile) for stealth persistence
* Abuse LAN trust to attack other devices on the network
* Disrupt system performance via thermal abuse (extreme sustained loads)
* Exfiltrate browser sessions or wallet seeds stored in plaintext
* Execute background processes whenever game is launched without user awareness
* Exfiltrate personal data from allowed Flatpak directories
* Steal data you intentionally open via portals (e.g., documents, password files, wallet backups)
* Store malware or persistence files inside the Flatpak sandbox
* Use network access to phone home data or join botnets
* Abuse CPU/GPU for crypto mining
* Delete or modify files in your home directory if granted --filesystem=home
* Read browser cookies, auth tokens, SSH keys, cloud credentials if home is exposed
* Install persistence via ~/.config/systemd/user/ services
* Global keystroke logging on X11
* Screenshot entire desktop on X11
* Inject fake input events to the system (mouse/keyboard) on X11
* Record screen via portals if user once granted permission
* Gain full FS access if granted --filesystem=host
* Abuse DBus to change system settings or trigger polkit actions
* Install software outside the sandbox (e.g., ~/.local/bin or autostart scripts)
* Interact with hardware via /dev if granted --device=all
* Trigger kernel or driver privilege-escalation vulnerabilities
* Load or execute unsafe third-party mods, DLLs, or anti-cheat binaries
* Malicious patchers or mod loaders downloading external payloads
* Replace shell history or alter aliases to hide malicious activity
* Encrypt local or network-mounted files (ransomware)
* Spread laterally via stolen SSH keys to other machines
* Manipulate GPU/driver calls for rootkit-like persistence
* Abuse Wine/Proton compatibility layers to escape sandbox using native loaders
* Modify dotfiles (.bashrc, .profile) for stealth persistence
* Abuse LAN trust to attack other devices on the network
* Disrupt system performance via thermal abuse (extreme sustained loads)
* Exfiltrate browser sessions or wallet seeds stored in plaintext
* Execute background processes whenever game is launched without user awareness