The instructions for enabling their dependency-checking bot are at https://github.com/flathub-infra/fla...l-data-checker

Once the relevant lines are added to your flatpak-builder manifest, it will automatically check for updates and open PRs with updated dependencies and, if paired with GitHub Actions or some other CI bot, and a good test suite, can turn updating dependencies into a simple matter of "Receive e-mail from GitHub, look at test results, Click merge button, wait three-hour 'oops' grace period for changes to go live".​

As someone who wrote the manifest the PySolFC maintainer now uses, and who maintains the I Have No Tomatoes Flatpak, I can confirm that it'll support basically anything, including parsing arbitrary HTML to find updated dependency URLs.

You better quit using the software from that developer, period.

if the dev will put something malicious inside the app the maintainer/packager will be very unlikely to spot it- unless there will be some warning for buffer overflow etc - but any half decent dev would make sure it would not show up so easily.

it's way more likely that it's the maintainer will put something inside- either by an accident or on purpose. And snaps/flatpaks do offer some sort of sandboxing (even if many of them runs with the very broad access by default). applications installed via debs do not run in sandbox unless otherwisely specified. and they can do whatever they want in pre and post installation scripts.