Yeah, permission popups are absolutely a thing. The system for that is called Portals: https://docs.flatpak.org/en/latest/portal-api-reference.html. The idea is an application asks for the tightest sandbox it needs to run, and then uses the Portal API to request capabilities at runtime, such as access to specific files or permission to start automatically. The catch is you can’t just make legacy applications magically use an API like that: it requires work on both ends. But it’s certainly happening, bit by bit :)
That’s why runtimes are the way they are: for most simple desktop applications, they shouldn’t really need much on top of what is already included in the GNOME, KDE, or Freedesktop runtime they depend on. (If you’re curious,
flatpak run org.gnome.Platformand poke around). Those runtimes get regular updates within each branch for important bug fixes. Alas, many applications add at least one or two external libraries they need to build / distribute themselves, and some applications add a lot of them. But it isn’t like every application bundles its own libssl or something.