Use root to create new user, then run app as new user.
Use root to create new user, then run app as new user.
Or you could use a separate key on each device.
Flatpacks include the dependencies with the application. So different flatpacks may have the same libraries over and over, wasting space. RPM/DEB install just the application and each dependency is a separate package, and packages that use the same dependency will share the one copy. So flatpack is better for consistency when running the app because everyone is running the same dependency version, and space isn’t as much of an issue anymore with nearly everything having more than enough storage.
A security module or a key fob/smart card processes the key internally using its own dedicated ram and cpu without any debugging support. This way, even something will full ram and cpu access or a compromise of your machine, there is no way to export or access the key. Data is passed to the module and it returns the scrambled or unscrambled result based on the key which no body knows or has ever seen. A key locked with no way to access can’t be hacked without physically stealing the module, which is where your pin comes in to save you. The TPM is a very important part of a secure boot chain. If you want to secure other things I wouldn’t blame you for using a separate module or fob that isn’t always connected util it’s actually needed and it should only be activated with a physical button or something so you have to be present to engage with it. This adds even more security. So you could use the TPM for boot chain security and a separate fob or data privacy for example.