One of the downsides seems like since the developer packages everything together, I’m reliant on them to push out changes. For example if some dependency needs a critical security update then I’m relying on every flatpak author to apply that change and push out a new version. But if I’m installing packages directly, I can update that one package and be done with it across my system.

Not all dependencies are packaged by the dev. Flatpacks run on top of runtimes which are basically bundles of libraries (most of the important common ones) that are updated independently. A dev only needs to include libraries not in the runtimes.