Yeah, it's too hard to just `useradd -m name` a new user, maybe set default acl once via setfacl -m d:u:main-user:rwx /home/name for easier file sharing with the main desktop user account, and `sudo su - name` to it, and run whatever less trusted apps need to run under that user account from then on, mostly isolated from the rest of the [file]system.
Distros clearly don't allow this and none has this feature or these commands preinstalled by default, nor they are built to be multi-user OSes. :D
Fedora (and I think all the RHEL family) comes with SE Linux by default. Although I'm not that familiar with it (I tend to disable it more often than not) it seems to me like it's addressing precisely that.
But that's your choice. I have multiple "users", and only one of them has access to ssh keys, etc. Users I use for less trusted apps just have write access to their mostly empty home dir filled with some dotfiles "whatever" app created by itself.
You can firewall by process UIDs/GIDs too, and I use that to allow the user access only to the internet and not to localhost or home network, or only to localhost, etc.
It gets your user's privileges when you run it. It's up to you how you run your programs.
Also there's no "default Linux configuration". There are many distributions, and they have different defaults and approaches.