My (perhaps naive) approach is to just use flatpak local install in the AppVM. I don’t have to mess with bind-dirs. I have a couple different AppVMs where I have such proprietary software away from anything I want to keep safe/private. I’m curious why people are talking about reinstalling on startup, or the risks of keeping installed software in /rw etc. We’re already treating these VMs as low trust anyway right?
(By “local install” I mean per-user install)