That's obviously super permissive, but from there can take things away to expose as much or little of the host system as needed.
For my system I'm working on making a few bwrapped "zones". E.g. start a terminal that can see a certain subset of files, and can configure whether it should use gpu or not, have internet or not, have access to local network or not, etc. A bit more project/environment focused than bwrapping programs one by one.
That's obviously super permissive, but from there can take things away to expose as much or little of the host system as needed.
For my system I'm working on making a few bwrapped "zones". E.g. start a terminal that can see a certain subset of files, and can configure whether it should use gpu or not, have internet or not, have access to local network or not, etc. A bit more project/environment focused than bwrapping programs one by one.