There are a couple of reasons. For starters, the applications and all of their files/dependencies are contained in a single location, making them easier to manage/remove and help avoid any dependency hell. They’re distro agnostic, which makes it easier for developers and distro maintainers to troubleshoot. The applications are also somewhat sandboxed, which essentially doesn’t exist otherwise on any distro. Not a perfect solution by any means, but I install all of my main applications this way. Permissions can be further tweaked/restricted with Flatseal. Only thing I’d be wary of is installing any Chromium-based browser this way as it replaces Chromium’s layer-1 sandbox with Flatpak’s, which is inherently weaker.
Brave uses Chromium code, but it is not a Google product. And I believe you are conflating security and privacy. The Chromium codebase is in fact more secure than Firefox in many areas. There is only so much hardening you can do security-wise before you are limited by its codebase. From a privacy perspective, though, you can definitely make the argument against Google. Brave, however, removes/replaces most of the Google stuff.