It's probably because Firefox binaries released by Mozilla are built with profile-guided optimization, but many distros build it without PGO.

Then should arch ship the binary version of firefox? Or should arch enable PGO as well?
What's the point of rebuilding firefox is the result is inferior?

Arch ships with PGO, https://github.com/archlinux/svntogit-packages/blob/eb0b75befc0e9da68a85a94ec47d1fc47850c60b/trunk/PKGBUILD#L125

PGO enabled. Can we close the issue now?

arch: 125 +/- 2.2
flatpak: 133 +/- 3.3

Not there yet, you have more work I suppose.

It's very hard to investigate in it.
There is a plethora of variables at stake: compiler options, compilation options, runtime options, different libraries, ...

And we don't know how these variables are handled from the flatpak side.

Just for fun, have you tried running the benchmark with a compiled-by-you version of Firefox?

Flathub is using the binary distribution of firefox, they don't build it themself.

It's the same... If we do not know how those variables are handled by Mozilla, it's basically impossible for us to get to the root of the problem.

And, since we are talking about an application which bundles in it libraries, this could NOT be an issue of Firefox itself BUT an issue of a dependency of it.

If I knew where the problem is I'd tell you.
If Firefox is slower because of a lib, then maybe many applications are affected which would raise the importance of this issue?
One other option would be to not rebuild firefox and use their binary distribution.

Ok, we are going OT.

I see the issue (numbers don't lie) and I am in primis concerned about it, but at the same time I can't imagine how to address it.

There are many things to say but I do not think this is the right place.

For this reason I leave the discussion.

Besides using a different build of Clang, our *FLAGS contain a considerable amount of hardening that Mozilla's build does not have. I'd tentatively blame that.

Why wouldn't firefox build with hardening flags? Just for performance?
Do those flags make firefox more secure?

6% of performance loss for hardening flags seems quite high though.

I think it is especially important to raise the security for a web browser. But what about sandboxing? I actually feel safer with firefox being ran within a sandbox like in flatpak.

I also think that they know what they are doing at Mozilla when they build Firefox.

Here's a build without our hardening:

https://pkgbuild.com/~heftig/firefox-98.0.1-1.1-x86_64.pkg.tar.zst

I've tested your build. I got variable results, it went down to 120, then I ran it again in private browsing and it went up to 137.

I believe it is maybe related to ublock or the the amount of cookies / history / ...

Sorry seems like a user error!