How to be certain that games or other apps in the SteamOS Discover center are legitimate?
When you launch the Steam Deck in desktop mode, the UI by default contains a shortcut to something called "Discover Software Center". My experience with Linux-based system is very limited, but I am aware that most distributions have a sort of software center or package manager like this, comparable to an app store. I have read that each Linux distribution has its own repository of games and applications, so I'm assuming the same is true for SteamOS. What I don't understand however, is how these repositories are managed and curated. Does the team or company behind the OS manually verify everything on it, or could theoretically anyone pose as the developer of some popular software and submit something malicious to appear in there?
The specific case that brought this question up for me is when I wanted to install Discord on the Steam Deck. I found it in Discover, but the app's description says "This wrapper is not verified by, affiliated with, or supported by Discord Inc." This has me confused, and there doesn't seem to be any further clarification about this. I am aware of third party clients for apps like Discord existing, but how can I be certain this won't steal my login details, or secretly run other things in the background that I may not want? Similar concerns apply to other games and programs.
Can anything in the Discover center be blindly trusted to be safe? If so, why, and if not, how would you make sure?
The idea behind services like this is "crowd sourcing". People can share something others can use, and any users are expected to trust what they use. Well-organized crowd-sourced services tend to https://github.com/flathub/flathub/wiki/App-Submission though they usually have https://github.com/flathub/flathub/wiki/App-Requirements about what can be submitted. And there's usually volunteer community policing of the content that's done by both regular users and those who are moderators or admins.
https://flathub.org/apps/details/com.gitlab.davem.ClamTk (and likely others) can at least https://unix.stackexchange.com/q/674565/310780 . https://www.reddit.com/r/Fedora/comments/ljbqdm/is_flatpak_secure/gnfq6v9?context=3 (edited for clarity, length):
By default system folders are not accessible by the container that runs the flatpak app. You can customize permissions if you don't trust the maintainer ( https://flathub.org/apps/details/com.github.tchx84.Flatseal for this). For instance, I create a strict policy (no network, only has access to a specific directory, etc). The other question this brings up is what is safer: An "official" package that has full access to your system, or an "unknown" package that lives by default in a container?
In the end it's up to each user to avoid, "trust but verify", or lock apps into their own little world and consider it "safe enough" if you can't verify whether they're trustworthy. There are communities like https://discourse.flathub.org/ and https://www.reddit.com/r/flatpak which would be good for discussing specific apps, and the Steam Deck communities could also be good as it concerns them in particular and there's going to be plenty of knowledgeable users with them who will be glad to help.