I thought about VM but it would be pretty expensive and require lot of RAM (which is not cheap nowadays and not always upgradeable on laptops. How would you upgrade your 8 Gb MacBook?) and CPU overhead to emulate the hardware and run one more kernel. The program in VM would not be able to use OpenGL/Vulkan, access the audio card with low latency (for working with audio), connect to DBus (to interact with other software).

I actually ran Windows games like Cyberpunk in qemu on a Linux host without performance loss, but that required adding a dedicated GPU for guest and to use realtime audio, one needs to pass through an audio card into the guest.

Furthermore, the CPU already provides a "sandbox" (isolated memory) for processes. The problem is that Linux allows the program to ask the kernel to do anything.

> Linux has features like SELinux and AppArmor.

Neither SELinux not AppArmor allows to show a question "would you like to allow program N to access your microphone" or "would you like to let the program connect to github.com? (Yes) (No) (With decrypting SSL traffic)". They look like they are made to comply with some outdated standards from 80s.

The best you can do today is either write your own sandbox around Linux namespaces (very complicated), or try lightweight VMs like Firecracker, or paravirtualization (like VM but with a shared kernel). Those solutions are made for server use, not for desktop, and require lot of work and programming.

> If you want to install a random package, you are free to do and its your responsibility. Equivalent is side loading in android.

I want to install random packages and still be safe. That's the point of installing an OS, to be able to run random programs on the computer.