System Level: Protect critical files from being accessed by untrusted applications.
1. Such as browser cookies, SSH keys, etc.
Per-App Level: Prevent untrusted applications(such as closed-source apps) from:
1. Accessing files they shouldn't.
  - Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
2. Accessing the network when they don't need to.
3. Accessing hardware devices they don't need.

Current Status

System Level:
- AppArmor
- Kernel & System Hardening
Per-App Level:
- Nixpak (Bubblewrap, running at user-level)
- Firejail (a SUID program, meaning it's running as root)

Kernel Hardening

NixOS Profile: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix
Apparmor: roddhjav/apparmor.d
- https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
- AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
- But all the profiles of AppArmor assume a FHS filesystem, which caused all apparmor policies takes no effect on NixOS.
- Apparmor on NixOS Roadmap:
  - https://discourse.nixos.org/t/apparmor-on-nixos-roadmap/57217
  - https://github.com/LordGrimmauld/aa-alias-manager
SELinux: too complex, not recommended for personal use.

Bubblewrap: nixpak, more secure than firejail, but no batteries included.
- NixOS's FHSEnv is implemented using bubblewrap by default.
Firejail: A SUID security sandbox with hundreds of security profiles for many common applications in the default installation.
- https://wiki.nixos.org/wiki/Firejail
- Firejail needs SUID to work, which is considered a security risk - Does firejail improve the security of my system?
Systemd/Hardening: Systemd also provides some sandboxing features.

Running untrusted code is never safe, kernel hardening & sandboxing cannot change this.

If you want to run untrusted code, please use a VM & an isolated network environment, which will provide a much higher level of security.