Care to elaborate on 'the risks of flatpak'. If you are refering to the practice of people using unofficial flatpaks: Yes I think that poses a certain risk because you are adding an additional party to your threat model.
Dorsey took care to hire on for the Bluesky staff a collection of LessWrong rationalists, neoreactionaries, VibeCamp anti-wokeist race scientists and crypto developers. And Bluesky still had to asymptotically approach a tolerable degree of moderation and — eventually, despite the CEO and several devs being followers of the test case offender — ban the Nazis.
Pocketbook also makes great devices, not that well known outside of EU but their software has more features than Kobo and is (as of yet) not in the book selling market so no conflict of interest (and no analytics, contrary to kobo).
Export your OTP database to an (optionally) encrypted file on a USB stick and put that in a lockbox/somewhere safe. If encrypting the stick/file: make sure you use a memorized/written down password.
If possible: do that on company time. Let the boss pay for it.