My main interest in snaps comes from a preference to trust fewer parties while hopefully not having to go too far out of my way to do it.
Since --classic implies that it has .deb-like properties, does that mean that snaps are allowed to run scripts as root on install? Or “just” that they have unfettered access to the filesystem and devices as the current user?
eg. Slack is unfortunately published to require classic confinement, does using their snap mean I am still trusting them with just as much access to my computer as when I was using their apt source?
The simple answer is that yes, it is possible for a classic snap to execute scripts as root similar to a .deb package. However, it doesn’t look like the Slack snap is using any hooks at present.
Through the use of the configure, install, and remove hooks, snaps can execute code as root on install, update, and removal:
For classic snaps these hooks run effectively unconfined, which is one of the reasons uploads of classic snaps to the store trigger manual review.
For strict confined snaps the hooks still run as root, but are run under the snap’s confinement policy that restricts what files it can read and write. In particular, the hook won’t be able to read any files in your home directory (the AppArmor rules granting access there use the @owner modifier, which requires files be owned by the same user as the process).
I’ll also add that we are working to increase what a strict confined snap can do (e.g. making services accessible via xdg-desktop-portal). So the hope is that fewer apps will require classic confinement as time goes on.