[jrockway]

The systemd slice approach is the same mechanism as containers.

The security problem is being able to talk to the same X server as trusted applications. X clients can do pretty much all the things you don't want Zoom to do; look at your screen, observe your keystrokes, etc. (Sadly, many of Zoom's features, like screen sharing, are also great things for spyware to do in the background. Not saying Zoom does this, but if you don't trust them, this level of access is the part that worries people, not consuming too much CPU.)

[yc12340]

> The security problem is being able to talk to the same X server as trusted applications

Use Ctrl+Alt+F<number> to switch into another VT and run a different X server. Run zoom in container there.

I found this a lot more convenient than messing with nested X servers and other types of X11 client isolation. Each time you leave an X server and switch to another VT, the clients perceive it like the monitor being turned on/off.

[mbarbar]

Thank you for this, easy solution that didn't cross my mind. I wanted to restrict Zoom from reading files (solved by a sandbox) while also sharing my screen from my normal environment (VM is out of the picture) but also preventing it from looking at the X clipboard and all that stuff.