Bundle the needed libraries inside the app package, or otherwise prevent them from being globally visible to other apps, and not make it easy for users to directly install them
Those libraries “inside the app package” would still be versions picked by the distro, and would still “inevitably take longer to get security fixes than upstream” as you put it. In addition it would take more disk space by having multiple copies.
I don’t understand your recommendation. How could the distro package apps if they don’t package the libraries they depend on?
Bundle the needed libraries inside the app package, or otherwise prevent them from being globally visible to other apps, and not make it easy for users to directly install them
Those libraries “inside the app package” would still be versions picked by the distro, and would still “inevitably take longer to get security fixes than upstream” as you put it. In addition it would take more disk space by having multiple copies.
Is there a single benefit to this?