If we are looking at things like gvisor or firecracker, SELinux might be an alternative. From what I can see, SELinux prevented both copy fail and dirty frag, and maybe also fragnesia but I couldn't find any definitive answer on that one.
Last time I tried it was a pain to setup and a pain to use, but as a sysadmin there is a lot of thing that share those attributes. The only question if its worth it. If the current avalanche of patches continues it might.
From what I understand, SELinux can prevent copyfail, dirtyfrag and maybe fragnesia, although it might not always.
I presume you are referring to the GrapheneOS post/thread about this[0], although this implementation is not the same implementation we see on Fedora or Debian for example and it appears these distros were (and are) still vulnerable to this exploit, with the out of the box configuration of SELinux on these systems.
SELinux is a bear when you’re reacting to it, but ever since I took a day to proactively read about it, it’s become much easier to reason about. It’s not actually all that complex.
I still need to troubleshoot from time to time, but I never reach for permanent setenforce 0 anymore.