As much as Calamares has been a benefit to the Linux community, I think this is a good thing for various reasons. It will certainly make Ubuntu more on-par with Windows in terms of deployment options.

Semi-unrelated to the article in question (since it's Ubuntu specific) but I kind of think it's time for Calamares to have some competition in the distro-independent installer landscape because it's been pretty stagnant for a long while. It's also not had a visual redesign since it's release date 8 years ago. As (generally) the first application new users see, it shouldn't be what amounts to programmer art.

As long as it remains easy to rip snaps out of Kubuntu, install Linux Mint's "block snaps from being pulled back in" APT rule, and set up an nVidia+X11+KDE+Flatpak configuration like I've got on 22.04 LTS, I'll be happy. (Otherwise, I'll stay on 22.04 LTS until the end of the support window and then experiment to make a switch to Debian stable as quick and painless as possible.)

I've already grown used to my workaround to veto the system's veto of my xorg.conf line to configure my monitor layout properly and my old PC is still intact as a "test before pushing to production" platform and still more or less identical aside from the slower CPU and the missed update from 20.04 LTS, so I shouldn't need to procrastinate the update this time.

How exactly do you do this?
Can you elaborate on that please?

Open/Create a file in
/etc/apt/preferences.d/nosnap.pref​

and add the following into it

Do I recommend you do this?
Eeeehhhh depends on how much you are willing to go against snaps, to which i would recommend you use something like debian instead maybe.

It's been an effortless "set it and forget it" thing for me so far... but then I was already running my Firefox, Thunderbird, Ungoogled Chromium, and Tor Browser out of flatpaks for an extra layer of easier-to-customize-than-Firejail sandboxing to begin with.

We'll see if 24.04 LTS moves anything I'm not already getting off Flatpak into snaps. It's not as if I have any reason to use Ubuntu instead of Debian to run something more server-y that they might snap. Worst case, there's no PPA and I have to run it on one of the mini PCs I'm currently running a cut-down Debian on to turn into dedicated low-measurement-noise benchmarking environments for algorithms I implement.

I have to ask if you're actually using the sandboxing feature for those apps. As far as I know, every single one of those apps breaks out of the Flatpak sandbox by default (except maybe Tor?), and attempting to put them back into the sandbox breaks several features if not the entire application. You mentioned customization of the sandbox, but I have to ask. Even allowing an app to save a file to your home directory is allowing them to break out of the sandbox.

I set overrides for practically every Flatpak I install, if for no other reason than that I have an "access to shared filesystem areas XOR network access" policy and a "never use --filesystem=host or --filesystem=home" policy. (eg. Firefox gets its own xdg-downloads at /mnt/bulk/flatpak-incoming/firefox plus a few :ro grants for places where I keep HTML-format apidocs and the like.)

In cases like games, I generally grant neither shared filesystem access nor network access, since I refuse to pay for things which need a Steam-like client, don't do netplay, and don't care about achievements.

...plus, different apps are used for different privilege-isolation levels, so Flatpak's automatic blacklisting of non-self ~/.var/app directories (even with --filesystem=host or --filesystem=home) means that, for example, 99.999% of the time, you won't see exfiltratable email credentials from any of the browsers, because those are in the Thunderbird Flatpak's directory. (And every account gets its own e-mail alias and password in case of data breaches and I use 2FA on any site that allows me to turn it on without giving them an SMS number.)

(And that's assuming that I get manipulated into granting a site permission to load whatever the exploit vector is in uMatrix in the first place, which I generally don't because I have a low opinion of sites requiring JavaScript or assets from third-party domains for things I know how to implement without them.)

I will admit that X11 is currently a giant hole, but, at this stage of things, it's more meant to provide a hopefully crash-inducing roadblock in front of what non-targeted exploits expect to get than to fend off a tailored attack.

It also helps that I use a desktop PC and keep my webcam and microphone unplugged when not in use and I set up the pam_u2f module so that ANY attempt to elevate privileges or log in (local or SSH) will result in a blinking LED "touch to authorize" prompt on my Yubico FIDO/U2F token, further turning my PC into a minefield for exploits. (The only situation where I want SSH into this machine to be possible is from another machine in the same room and my OPNsense router is configured accordingly.)

I'm glad to see somebody using the sandbox and portals in a proper way. Too many people just install apps like Firefox via Flatpak and then claim they are somehow more secure than the native binary, despite the app (and thus any malicious party who gets control over it somehow) having full write access to their entire system.

To be fair, they are technically correct, even if completely and utterly wrong about the effect they think they're getting, since unconditionally blacklisting access to ~/.var/app​ directories other than the app's own does technically meet some limited definition of "more secure than the native binary" as long as they were already bypassing distro maintainer review by getting it from a PPA.

It's all a question of threat model. If your threat doesn't know how to inject stuff into ~/.bashrc or ~/.xsessionrc or what have you, then it might help and the Firefox Flatpak is going to be that little bit more secure than the other releases also maintained by the same Mozilla upstream like their tarball which are completely unrestricted.