Sandstorm.io is a sandboxing/app-deployment system that runs on Linux servers, which uses capability-based security and fine-grained permissions. (As a note, it sandboxes individual "grains", which are single-documents/instances, not entire apps.
Of course, Sandstorm is built to present a cloud-like web app interface, not local desktop or mobile apps.
I still think personal servers are the eventual way to go, such that people's mobile devices they carry with them aren't the definitive location of lots of their valuable data.
I’m no security researcher but have read one who said that due to it being a setuid program, it can potentially turn a bug in firejail into an exploit with root access.
Of course, Sandstorm is built to present a cloud-like web app interface, not local desktop or mobile apps.
I still think personal servers are the eventual way to go, such that people's mobile devices they carry with them aren't the definitive location of lots of their valuable data.