Not sure how good bubblewrap is, to my knowledge it only refuses unprivileged actions and doesn’t really have a way of “negotiation” between the sandbox and the app running. I do know that flatpak does have this option for at least the file picker dialog, which is a good direction, but ideally the mobile OS’s permission system should be adapted in some way.
My gripe with flatpak is that it mixes up a (imo bad) way of packaging with sandboxing.
We are developing the Portmaster Application Firewall that has a couple nice privacy and security features, including network monitoring. Open Source. Linux & Windows. Android in progress.
Why do you want an application firewall? I thought the reason folks ran those on Windows was because of proprietary, must-have software that opened ports with mysterious purposes that unresponsive vendors wouldn't explain or close.
Little Snitch is designed to protect you by limiting outbound traffic. The idea is to block all traffic and approve or deny application connections the first time they happen by creating rules.
Imagine you are running a compromised package installed with e.g. pip. This could provide a last line of defense when it tries to steal your data, if it's not supposed to make certain connections.
* A better application firewall (like Little Snitch for macOS, OpenSnitch looks promising)
* Sandboxing by default (falling a bit behind macOS, bubblewrap is a good solution)
* Better package management (Nix is SOTA, but we need better tools to monitor upstream against malicious commits)
* Better monitoring tools (that take advantage of eBPF and report suspicious activity)