Aside from wrapping applications with Firejail, I would also recommend setting up AppArmor[1] or SELinux in enforce mode, as most Linux distributions do not do that by default[2].
Things will break from time to time until you modify the default profiles, and you will need to write profiles for applications that do not ship with one by default, but it is worth the time you spent.
[1] A MAC just like SELinux, but with easier syntax. It is the default on Ubuntu, Debian, OpenSUSE, and others.
[2] I think Fedora does enforce SELinux by default, though.
This is good advice! I’ve heard many engineers bemoan setting up SELinux policies however they’ll dump a non-trivial amount of time into security theatre.
Things will break from time to time until you modify the default profiles, and you will need to write profiles for applications that do not ship with one by default, but it is worth the time you spent.
[1] A MAC just like SELinux, but with easier syntax. It is the default on Ubuntu, Debian, OpenSUSE, and others.
[2] I think Fedora does enforce SELinux by default, though.