Zorin is a fork of Ubuntu (and to some degree Ubuntu is a fork of Debian - I even read one time Ubuntu claiming Debian was a fork of Ubuntu, not so). So when you change your Software sources in Software Updater to Main Server you are getting Software from Canonical servers. Zorin references in Software channel uses APT to pull in Applications. Here is an excellent article that explains this:
https://www.howtogeek.com/791055/apt-vs-apt-get-whats-the-difference-on-linux/
The coordinator of my local Linux User Group explained that snap is as bad as Telnet or 'finger' from a security angle. There has recently been a security issue with flatpak being hacked. My personal preference is to remove both post install (I wrote a Tutorial on this linking articles on how to do it [HOW TO] Remove snapd and flatpak ... should you wish to ). The issue for me in regards to App Images is they don't update with system updates, they have to be manually updated, that is why I prefer older version of Inkscape, it still has the same functionality as the newer App Image version. On a side note, flatpak was the brainchild of several application developers which garnered the interest of Red Hat who just happened to send Lennart Poettinger to the flatpak group to find out more. Some wags on another forum suggested, with Lennart's development of systemd and pulseaudio why Linux isn't referred to as Lennart Linux!
Subsequently, Red Hat adopted flatpak as the default form of Application container, and just as they did with the inferior systemd and pulse audio, attempted to force it as the standard to be adopted by all the other 'mainstream' distributions. Canonical developed their own container, snap, and caused such a stir between it and founder of Linux Mint when they stated they would not support forks of Ubuntu which allowed flatpak packages to be present. Sadly, the argument of which is better overshadowed the obvious, "Why fix [APT] what ain't broke in the first place?!" In terms of security, fundamentally a system is only as secure as:
-
The initiators of code have done a thorough job, and
-
The users of applications also take care, such as using browsers which is not in control of the developers of such apps. Having said that, the only secure browser at present is unGoogled Chromium.
At the end of the day, no system is secure as they are written by humans. If A.I. were allowed to develop Operating Systems they would be very secure ... the downside being we mere humans would not be allowed to use it.