Nix Packages vs Flatpak - CVEs

Hi,

I am seeking some advice with respect to GUI packages.

Initially I was trying to use Nix packages (and no Flatpak) on the Unstable (thru Flakes). I ended up running into quite a few CVEs, and the system would not rebuild without allowing the insecure package.
I know I can allow all insecure packages, but I worried about the repercussions.

Later I switched back to 25.05 and use Flatpak when possible to reduce the chance of CVEs as I prefer for my system to update when possible.

Is there anyway to have the benefits of Nix and it install a package, but its isolating its rebuild (meaning the core part of the system can update)?
From my understanding if I used Home-Manager and there was a CVE it would have also prevented all the other packages from updating that were installed thru Home-Manager.

If I use Flatpak doesn’t seem to have this problem as it can be on an old runtime (with a CVE), but at least the other flatpak packages are updating fine.

Am I thinking about this right?

No. Permitting insecure packages is exactly as safe as using flatpak if you’re using things affected by known CVEs. Nix might even do better given the whole diamond dependency thing. As long as you permit such packages, everything else will be updated fine, too; you don’t have to allow all insecure packages, FWIW, you can select specific ones.

Using stable also doesn’t put you behind on package versions as far as CVEs go; stable just means that breaking changes aren’t backported, security fixes (sometimes even when breaking) are explicitly one of the type of changes that are backported.

That said, what package specifically are you talking about? My system closure has only once contained something with a package marked that way in what’s getting pretty close to a decade of using nix; you’re likely depending on one or two very inadvisable packages that you could (and should!) probably just replace with something more modern.