Can you elaborate? What security issues? Could installing runtime X subvert runtime Y used by other apps, e.g. by claiming that X is an update for Y? In that case I'd expect that GPG keys have to match, or something like that.
Yeah, the app requires the runtime X which is not installed and adds a remote to install it, but the remote could also contain a malicious version of the runtime Y which is already installed and used by other apps, and the malicious version overrides it as an update. Then other apps get infected. I think all that matters are runtime ID and version, AFAIK GPG only checks if the runtime comes from the remote it claims it does. Yes, there could be a safety catch that would prevent updating the runtime from a different remote than the original one.
I think this is quite essential to have. It would allow automatic runtime installation without any questions asked, which is something I expected (or at least hoped for) from flatpack. I want to download a file and double click on it. I don't want to decide whether remote X needed for runtime Y is trustworthy or not. The user should not even know what a runtime is, it should be completely transparent :)
I'm no security expert but in my naive world it shouldn't be too hard to make sure that remotes can't supply updates for runtimes from other remotes, using digital signatures.