I like ChromeOS' security model: Nail everything shut, but leave a Linux VM as a escape hatch.

> There's no security model for desktops that works well.

Don't you think that something which combines ideas from Firejail and Guix containers could be good enough?

For those who have not used Firejail, it is a sandbox that comes with default security profiles for most popular Linux binaries, so it's pretty unobtrusive. Say you want to run Firefox, Firejail limits access Firefox to ~/.mozilla and ~/Downloads by default. So, in case Firefox is compromised, attackers can't steal things from other $HOME directories like ~/.ssh.

On the other hand, Guix lets you launch ephemeral shells, like Nix, with any combination of packages. Unlike Nix, it provides a very convenient set of flags to sandbox the shell in terms of network, files, etc. This is handy for development tasks where you would like to have fine-grained capabilities.

>On the other hand, when Telegram asks you to share all your contacts and images with it, people do.

This is where Android shines with storage and contacts scopes. You can share an empty scope with the app and it will stop bugging you, and have access to nothing!

> There's no security model for desktops that works well.

Qubes OS works quite well, if you need security on desktop.

> There's no security model for desktops that works well.

> Like another commenter said iOS has no legacy cruft and could deliver the security model that made sense.

Yeah I just was wondering about this. In the presentation also Seatbelt is mentioned, I thought this was considered deprecated legacy since years. IIRC the last time I checked for sandboxing I basically couldn't find anything recent for the Application level