@EdwardTorvalds @sheogorath @amolith

I would ask two questions here: is it more secure than the existing solutions (deb, rpm) and is it more secure than other alternatives (e.g. snap).

From the description, there's a whole range of apps that by definition are intended to access the whole filesystem (like file managers) and they simply cannot be confined in one dir. In Snaps this is called "classic confinement".

But most security-critical app Snaps come fully confined.