> It's getting better, and Linux does have the advantage of having some powerful primitives to exploit, but the desktop suites come from a totally different world,

When opening the printer configuration page in the KDE configuration panel, I was pleasantly surprised to see it's process runs wrapped inside a bwrap session. Cups is a bit of old and dangerous; I'm glad they sealed that off inside a sandbox. If you ask me, I would make this approach the standard for any software. The configuration panel for fonts doesn't need network access, so at least `bwrap --unshare-net`