Currently we work around T9644 by always starting a gpg-agent inside the flatpak (to ensure the correct options are set). This is because the default fallback mechanism will not find the right pinentry, because the runtime doesn't ship what we want and the lookup paths are hardcoded.
The downside of this solution is that you always have to unlock the keyring.
If we were able to use the host gpg-agent we could benefit from an already started gpg-agent (and a potentially cached password).
For this to work properly it might be necessary to extend flatpak with an option to share the gpg-agent socket (similar to what is already available for ssh-agent).
See also: