[spoiler]

Not a security expert, so I could be wrong.

I imagine stuff like AppArmor, Snap (or Craft? I forget) sandboxes, or Docker and LXCs help with this. Or do they not?

[smashed]

That is exactly what snap is aiming for.

Apps run in a sandbox and have no access to user files except through "portals", which are secure file pickers essentially.

[lfodofod]

Yes, AppArmor and snap try to. Still worlds away from what Windows and OS X are doing, not to even mention mobile platforms.

[ElectricalUnion]

> Still worlds away from what Windows

Not really, it's a on-purpose contrived thing to attempt to deploy sandboxed apps on Windows.

Developing a sandboxed app in Windows means deploying a correctly sandboxed Appx in Microsoft Store, and getting those (Appx deployed on Microsoft Store) correctly working is hell for any non-trivial application.

On Linux, you can attempt (it's not garanteed to work) to sandbox anything you want. Whenever the sandbox even is able to conveniently defend what really matters to you (say, your private key files) is another matter.

[franga2000]

Linux with snap or flatpak is far closer to mobile than whatever isolation Windows and MacOS have. The difference is in how widely and well implemented it is (it's neither).