If not Flatpak, what is the future for portable sandboxed applications on Linux? I would love a solution where I can run semi-trusted or untrusted applications (e.g. vscode+extensions) confident that it doesn't have uncontrolled access to whatever my userid privileges permit.

The solution for untrusted code is to not run it.