If I globally disable filesystem access to home (i.e. filesystems=!home;), and an app declared that it needs home/some-dir, do I need to explicitly prevent access or do my global settings take precedence?
If the application ID APP is not specified then the overrides affect all applications, but the per-application overrides can override the global overrides.
I assume you know Flatseal (GUI application for Flatpak permissions), right? After installation of a Flatpak app, you can go to the Flatseal settings and make sure to disable access if the application enabled anything you don't like. I do not think there is an automatic way to force a specific setting for all applications. You have to deal with this per application. But I can be wrong here.
I'm asking global override vs application manifest (not application override). So the app asks for access to home/some-dir but I have a global override that blocks access to home entirely.