One of the downsides seems like since the developer packages everything together, I’m reliant on them to push out changes. For example if some dependency needs a critical security update then I’m relying on every flatpak author to apply that change and push out a new version. But if I’m installing packages directly, I can update that one package and be done with it across my system.
Not all dependencies are packaged by the dev. Flatpacks run on top of runtimes which are basically bundles of libraries (most of the important common ones) that are updated independently. A dev only needs to include libraries not in the runtimes.
That's why runtimes are the way they are: for most simple desktop applications, they shouldn't really need much on top of what is already included in the GNOME, KDE, or Freedesktop runtime they depend on. (If you're curious, flatpak run org.gnome.Platform and poke around). Those runtimes get regular updates within each branch for important bug fixes. Alas, many applications add at least one or two external libraries they need to build / distribute themselves, and some applications add a lot of them. But it isn't like every application bundles its own libssl or something.
In theory, the CI/CD would generate the package automatically when the git repo get tagged for release if they do configure for it, so it should be able to release it rather quickly. For instance, I get endless amount of update from Kate editor on Flatpak, because it constantly get tagged for minor releases.