Flatpaks are a way to get user applications (generally GUI) package in a operating system agnotic way, and with some isolation for the user session.
This also means flatpaks have difficulty dealing with GSSAPI as it often relies on the host's krb5 configuration, for default realm and other configs.
Using gssproxy for privilege separation would also mean the host krb5 config could be used, and the TGT will not be leaked in the flatpak environment.
This calls for a simplified user mode, where gssproxy is run as a user and can itself be intercepted by the host gss-proxy if needed.
Flatpaks are a way to get user applications (generally GUI) package in a operating system agnotic way, and with some isolation for the user session. This also means flatpaks have difficulty dealing with GSSAPI as it often relies on the host's krb5 configuration, for default realm and other configs. Using gssproxy for privilege separation would also mean the host krb5 config could be used, and the TGT will not be leaked in the flatpak environment.
This calls for a simplified user mode, where gssproxy is run as a user and can itself be intercepted by the host gss-proxy if needed.