* and/OR trust yourself to read and vet the manifest. (Flatpaks have manifests, which are somewhat similar to how AUR packages have pkgbuild files, which allow you to see how the package is built, and from what sources. So experienced users can establish trust in an unofficial flatpak without necessarily trusting the person who published it).
I think my preference would be the distrobox + the official debian package. But I think the flatpak is most likely safe and not too hard to vet yourself. And I’m still holding out hope that Signal will take over the unofficial flatpak at some point (from what I stand it seems like a no brainer considering it would work across (almost) all distros, but I think they have expressed disinterest in doing so)