We already have flatpak-spawn which required --talk-name=org.freedesktop.Flatpak. I would argue that we should not make it easier to provide obvious sandbox escapes as part of portals, especially because we want to make it possible to ship and install user services with flatpak.

What would the UI for prompting the user be like? Are you imagining something like this? (probably not this text but you get the idea...)

| Sandbox escape |

"Nice App" wants to run a command outside the sandbox.
This could do literally anything.
Don't allow this unless you trust the app completely.

Command to run:
/bin/sh

[ Cancel ] [ Allow dangerous thing ]

This seems like a classic example of the dancing pigs design that portals try hard to avoid: however scary we make the text, the user is going to say "allow" because otherwise they'll be prevented from doing what they already decided they want to do.

And even if we show (a stringified version of) the command that the app wants to run, how many Flatpak/Snap/etc. users can audit whether an app-provided command is "safe" in all circumstances?

In particular, if the app is malicious or compromised, a rational attacker would go to great lengths to make the command look as benign as possible. For example, they might run something like /bin/sh or /usr/bin/python3 with a pipe into stdin, and stuff the attack payload into stdin, to avoid it appearing in the prompt.

For example, users could run their terminals in a sandbox by default

Putting a terminal emulator and its associated shell session in a sandbox is just not a great fit for the design and functionality of a terminal. The whole point of a shell session is that you can do anything in it, including composition of small "Unix-style" tools that interact with each other and with any/all of your files; but that's the opposite of a sandbox-friendly design.

There are some terminal emulators on Flathub using Flatpak as a distribution channel, like Konsole and Ptyxis, but they run only the terminal emulator GUI inside the sandbox - the shell session is outside the sandbox, in the trusted computing base, by using the --talk-name=org.freedesktop.Flatpak/flatpak-spawn --host sandbox escape (and as a result Flathub presents them with suitably scary warnings about not being meaningfully sandboxed). I think that's really the only honest security model for a genuinely useful terminal-emulator session.