[hulitu]

The modern web browser is a RCE vulnerability in itself. That developers seems to think this is a good idea is beyond my comprehension.

On a modern system the browser should run ideally in a virtual machine without any access to hardware or filesystem.

[QUrprUd1nCeicw]

On a modern Linux distro a web browser installed from Flatpak/Snap will be sandboxed in a container. But you need to be using Wayland too (or setup a separate X11 sandbox) because X11 circumvents the container. Example code for it here: https://mjg59.dreamwidth.org/42320.html