what does this mean for Flatpak?

Flatseal: well that's normal, it can't control Flatpak's access controls if it is itself sandboxed. Even if it was sandboxes, it could just grant itself everything.

For Xournal: it's probably because it doesn't support portals or whatever, so it can't use the open file dialog to get permissions. So it needs to be able to get to your files somehow to open them.

In both cases, it just means its permissions model is more like regular applications you'd get from your package manager. If you install Xournal with apt/dnf/pacman it also won't be sandboxed.

The point of sandboxing is you can run applications you don't trust too much, or significantly reduce the blast radius if say, your browser gets breached: then it has another barrier to overcome to reach anything other than the browser's own data. The lack of sandboxing doesn't inherently imply the app is evil or will hack you. It just means it doesn't have the extra protection around it. So like, probably don't open sketchy PDFs in it, but I wouldn't stop using the app solely because it lacks sandboxing.

I think the problem with xournal is that it cannot ask a file portal to give it access to two related files at once. "I want to let the user pick foo.pdf.xournal, and also give me access to foo.pdf". So the next best thing is to give it the "access any damned file" permission, and let Xournal grab whatever it wants. You get the same problem with video players - you could take away their permission to open-any-file, but then they won't be able to pick up a related subtitle file.

No, you don't need to be worried. For example, Flatseal is a program to manage other flatpaks. This means that, by design, it needs to be able to grant flatpaks certain permissions that may expose them to system services they need to operate correctly.

One user mentioned that these new warnings aren't particularly helpful, because they don't give a good explanation of what or why, and they just foster anxiety in users who just want to install an otherwise reputable flatpak.

I don't know anything about xournal++, but I would imagine it's also reputably safe, and somebody else can verify for sure.

Yeah Xournal++ is probably the best hand-written note taking and PDF annotation program available on Linux, it's pretty well known. The system settings permission is to honor some global settings you might have enabled, and the file system access is so you can save and open stuff from anywhere, I assume.
- Sorry for the off topic, what's the best device to use xournal++ in your opinion? MS Surface? I guess you have used some hand-written note taking apps before since you wrote this, so you're more experienced than me for sure!

The first one allows Flatseal to edit the permissions of Flatpak apps including itself.

System folder access allows a app to read the filesystem. (But not system internals)

System settings access allows the app to change settings

So the only concerning one is Xournal. However, I happen to know that it doesn't support XDG portals which is how apps ask for permissions to files so it needs full file access. As for the system settings I have no idea.

Every app with home or even host access can modify its own permissions.

This is why apps need to implement portals.

a curse upon these distros for alarming people with such messages. they are meaningless and technically apply to every flatpak

They mean that the app has that permission. It is good that they let the user know the apps capabilities
- Not for the average/casual user, which is why this post exists.
  
  The average person will look at that and see the '!' in a triangle and became scared of what it can do to their system, even though it has no more permissions than a system package. Alternatively, they will become desensitized and learn to ignore it, resulting in installing flatpacks from untrusted and unverified sources.
  
  Overall, I just think the idea around having to sandbox all flatpaks is not a good idea. To give a concrete example, Librewolf is marked as "potentially unsafe" because it has access to the download folder, but if I want to use it to open a file that isn't in "downloads" I have to use flatseal to give it extra permissions - it's the worst of both worlds! Trying so hard to comply with flatpak guidelines that it gets in the way of doing things, and still not being considered safe enough.
a curse upon these distros

It's not the distros, it's Flathub who provides those warnings.

This is good news for flatpack!

Flatpak downloads are insecure 100% of the time