I am *very* concerned about `/etc/profile.d/flatpak.sh`. Specifically, it actually executes the `flatpak` executable, even for `root`!! should one initiate an interactive login session for `root` via something like `sudo -i` and that seems like a very big risk. Even the way I discovered this leaves me alarmed.

I was trying to understand why I've been seeing a bunch of lines like "flatpak: /usr/lib64/libxmlb.so.2: no version information available (required by /usr/lib64/libappstream.so.5)" appearing on my desktop at boot, just before windowing and KDE launch. Before delving deeper, I decided to go run my full system backup which is a rather primitive script. Some parts of that backup are done as `root`, manually and interactively on my desktop. (This ain't prod!)

Lo-and-behold: there were the messages printed on the screen! I had rather expected that they were due to some sort of profile-related stuff but I had *NOT* expected to see these messages from `flatpak` (of all things!) upon initiating a `root` session.

I would never have learned that `flatpak` was being executed as `root` had the messages not been being printed.

It seems the offending line in the script is: `GIO_USE_VFS=local flatpak --installations`

RECOMMENDATION: delete the script. Find another way to populate XDG_DATA_DIRS. Whatever the case, don't *execute* `flatpak` in a script in `profile.d`! (Never forget the `xz` farce.)

Checking that the user who's logging in is just a pleb would perhaps belay my concern, somewhat, but I still don't like it.

WORKAROUND: I've taken two steps on my own system:

1. Included `/etc/profile.d/flatpak.sh` in `CONFIG_PROTECT`
2. Replaced the entirety of the offending script with the following, achieving no less than the risky script from Portage:

```
if [ "$EUID" -ne 0 ] && [ -d "${XDG_DATA_HOME}/flatpak/exports/share" ]; then
    export XDG_DATA_DIRS="${XDG_DATA_HOME}/flatpak/exports/share:${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
fi
```