It's not a weakness or inflexibility in the Wayland protocol. There's no way to make it work there. They had to rework the way security is done, and that's a much bigger task that touches lots of other parts of the OS. I keep saying this but you're not listening to me. Why?
Yes, if you want to use a secure system then you need to only go through secure APIs. If you cut out security in the name of making a "light" compositor then you just lose the ability to run sandboxed apps correctly, so it's crippling your desktop for no good reason. The XDG portal was built as a secure API to support Flatpak but it doesn't actually need Flatpak. The compositor is what needs to implement it so any sandbox can use it.
Yes, if you want to use a secure system then you need to only go through secure APIs. If you cut out security in the name of making a "light" compositor then you just lose the ability to run sandboxed apps correctly, so it's crippling your desktop for no good reason. The XDG portal was built as a secure API to support Flatpak but it doesn't actually need Flatpak. The compositor is what needs to implement it so any sandbox can use it.