Isolate the Unsafe Browser container more tightly

Since !838 (merged) we run the Unsafe Browser with run_in_netns, which uses bwrap, so effectively we get new, isolated mount and network namespaces… which was exactly what run_in_netns was created for. But here we might want to expect a bit more from the container we're setting up.

Would it work to make the sandbox stricter by asking bwrap to unshare more resources? As of 0.6.2, bubblewrap can also manage these other namespaces: user, ipc, pid, uts, cgroup.
Could we forbid microphone access?
- https://github.com/flatpak/xdg-desktop-portal/issues/615

Additionally, we have AppArmor rules set up for the Unsafe Browser, which suggests we particularly mean to sandbox it. But we merely intended to "sandbox" it as well as the Tor Browser.

Edited Apr 26, 2023 by intrigeri

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information