Unless you’re running malware, I doubt the developers of normal applications are going to circumvent a specific form of sandboxing on the already tiny Linux market share just to do something the user doesn’t want in a way that could result in terrible press coverage, so the actual “strength” of the sandbox in your use case probably doesn’t matter much.
I believe Flatpak (or maybe Snap if you’re on Ubuntu?) should be able to do this. If it’s not done by default you can just use Flatseal as Eebzter suggested.
I’ve played around with this on and off over the last year. Here’s my two cents:
Firejail has a very old manual and 1-2 YouTube videos that only walk you through the basics that are covered in the manual intro. I did OK with the preset options but struggled a lot when I went even slightly off the beaten path.
I started down an AppArmor rabbit hole in the past and was too confused. I tried it again today and came to the conclusion that:
Few modern packages are covered w/ a relevant apparmor profile out of the box
Of the software profiles available, the majority by default are either disabled or allowed to do whatever as long as they write to logs… ~75% by my estimate
Quite a few modern software packages have profiles ‘included’ but those profiles are empty.
AppArmor kinda forces you to get your hands dirty by creating a custom profile from the start instead of providing a hello-world option or something similar to get the ball rolling.
Open to feedback, but my current understanding is:
Create a .service file for the game (or edit it if it already exists)
Use flags like TemporaryFileSystem=/home (and something like BindReadOnlyPaths=/home/user/Downloads:/home/user/Downloads if you needed to mount your Downloads folder). There’s a rough breakdown of systemd hardening options here or in the manpages via man systemd.exec.5)
Set up your .desktop file to launch the .service file (or launch from the terminal w/ systemctl if you’re too lazy for the extra step)