Systemd-homed is portable.
Still, "Reprovision" the broken userspace for the user.
Local k8s like microshift that does container-selinux like RH / Fedora, with Gnome and Waydroid would be cool to have for the kids.
Podman-desktop (~Docker Desktop) does k8s now.
K8s defaults to blocking containers that run as root now, and there's no mounting thee --privileged docket socket w/ k8s either. Gitea + DroneCI/ACT/ci_runner w/ rootless containers. Gvisor is considered good enough for shared server workloads.
Repo2docker + caching is probably close to "kid proof" or "reproducible".
VScode has "devcontainer.json".
Scipy stacks ( https://jupyter-docker-stacks.readthedocs.io/en/latest/using... ) and Kaggle/docker-python (Google) take how many GB to run locally for users < 13 who we don't afford cloud shells with SSH (Colab with SSH, JupyterHub (TLJH w/ k8s),) for either.
Are flatpaks out of the question? Used to be "Gnome and Chrome" on ~Gentoo.
Shouldn't the ChromiumOS host be running SELinux, if the ARC support requires extended filesystem attributes for `ls -alz` and `ps -aufxz` to work?
Chromium and Chrome appear to be running unconfined? AppArmor for Firefox worked years ago?
https://www.google.com/search?q=chromium+selinux ; chrome_selinux ?
It seems foolish to have SELinux in a guest VM but not the host.