[vrighter]

No, I don't. Because it doesn't need to. But not running as root already provides all the protection I want. System files are not my data. My data lives in my home. I want my apps to have access to my stuff, not the whole system. But more importantly, I do want them to be able to talk to each other and effortlessly open files written by one another. "Isolating" them from each other is pointless if I then proceed to punch holes in everything just so it can work.

"This thing isn't working ... "Oh... it turns out it was missing a permission, should I give it that permission? What's it for? Fuck if I know..."

Or the other way round:

"This app seems like it's working properly, but can I restrict this particular permission for it? Fuck if I know. I'll just try and see if anything is broken"

Or I can just run the application normally and have everything always work.

[cookiengineer]

You should dig into ~/.local and what happens there. I'd never store my keepassxc database file in my home folder if I were you.

Apps need sandboxing, because the linux/posix philosophy of separation through users and groups for each process doesn't really work in the modern day and how graphical software works.

Firejail's approach comes close to "sane" user sandboxes, but technically that's the job of the init daemon (pid 0), there's just no GUI for systemd sandboxes yet that's easily usable.

Podman is also really nice as a user-facing sandboxing daemon.

[vrighter]

i know what happens in there. Shit that I install because I want to goes in there. And my keepassxc password is protected by a strong password and a hardware token. They are specifically designed so you can safely store them anywhere (ex cloud backup), so I don't see why you brought that specific example up