QubesOS isolates almost everything and does very good job in that. but “Qubes, however, does not attempt to provide any security isolation for applications running within the same domain. For example, a buggy web browser running in a Qubes domain could still be compromised just as easily as on a regular Linux distribution. [which, out of the box, almost has no sandboxing at all]. The difference that Qubes makes is that now the attacker doesn’t have access to all the software running in the other domains.”
What do you suggest for someone who wants to isolate between apps within the same domain?
Would something like AppArmor or SELinux be sufficient?
Also, it’d would be beneficial as open discussion for people who want to limit the trust in the bundled apps from linux repos.