[kaba0]

> I suspect you would find Android on that hardware to also suck

Not at all, android is smooth as butter on even significantly worse hardware.

> if you must download random untrusted code and execute it, then you should run it inside bubblewrap/firejail/docker

There is no if, this is the case for everyone, and thus the default should be sandboxed. Plus, a sandbox should have appropriate channels to communicate with other sandboxes, otherwise you are not ahead even a bit. Just think about a memory unsafe program like a PDF reader opening an untrusted file. It is already ripe for executing arbitrary code, no need for compiling stuff.