(no title)

There are alternative solutions: QubesOS uses VMs as the isolation layer, desktop application confinement using firejail with its good selection of profiles tweaked to my liking, systemd-run confinement configured through the vast resource control options made configurable through systemd. There is no reason ~ or even / shouldn't appear completely empty to Firefox the process except for the resources you pass to it (open file, grant download permissions...) or which it needs to run (of course, those would be immutable as far as possible). SELinux and AppArmor are child's play; you don't have a lot of problems of those tools if there are no objects a process could acceess in its namespace to begin with.

macOS I believe is already there in terms of desktop app confinement. Windows is not but at least it has the controlled folder access layer available after they gave up on making store apps meaningfully secure as its own app category (too many escapes/config tweaks possible now). Desktop Linux though has not had squat in that field in the mass market for 2 decades. Basically, you guys run all applications unconfined. Snap is a way to work on changing that.

Not saying though that the current implementation is exceptionally good. It's too slow, and they should have reused systemd or whatever for a thin, tweakable resource control and container layer, not invent a container format from scratch.