Flatpak has promise but the sandbox much weaker than Android. I wouldn’t run anything untrusted with it as sandbox escapes are likely possible. Bubblewrap is highly portable at the cost of being less secure. Kernel level sandboxing such as SElinux and Namespaces are much more bulletproof since they leverage the kernel.
Honestly if you are building something from the ground up I would instead focus on virtualization since the Linux kernel isn’t exactly free of security issues.
Flatpak has promise but the sandbox much weaker than Android. I wouldn’t run anything untrusted with it as sandbox escapes are likely possible. Bubblewrap is highly portable at the cost of being less secure. Kernel level sandboxing such as SElinux and Namespaces are much more bulletproof since they leverage the kernel.
Honestly if you are building something from the ground up I would instead focus on virtualization since the Linux kernel isn’t exactly free of security issues.