We've been exploring libseccomp/BPF filters on top of bubblewrap namespaces for LLM sandboxing - the BPF layer lets you go beyond read-only mounts to syscall restrictions. Open to collaboration on pushing this further: https://github.com/corv89/shannot