[kworker]

On linux you can use firejail if it's necessary (or a container if it's needed).

[staticassertion]

This doesn't address what they just said - dropping privileges incrementally. Firejail is just a whole process filter applied at process start.