This is a small effort to create an isolated development environment which only has access to minimum possible directories and files with as less permissions as possible.
It also sandboxes Mullvad Browser and Tor Browser from the rest of your system in an attempt to mitigate a browser sandbox vulnerability
There is also a build-sandbox
which can be used to isolate the entirety of your various compilers
and build systems from the rest of your system
It uses bubblewrap underneath for isolating your shell from the rest of the system.
Thanks to bubblewrap for making a good security tool
Thanks a lot to Manmeet Singh who did almost all the legwork to think of the best way to break out of this sandbox and patch up holes he found.
The script has been slightly modified from his hard work with my tweaks and packaged as a Nix flake