If you're running android I believe you can set up a work profile with its own apps. On graphene you definitely can, with its own filesystem and everything.

I wouldn't install work programs directly on my devices without some kind of sandboxing because of cases like this.