Do you use firejail for other things too? Say I'm developing a js project and have to do npm install and run-dev-server or something, would/could you use firejail with that (to avoid npm putting your ssh keys on pastebin due to bad third party js)? Would you firejail the whole bash session?

I feel so worried every time I walk into a new ecosystem, and there are new developer tools required. They invariably want me to install things outside their project folder or edit .bashrc or require sudo. It's affecting my sleep. Just running `make` in the wrong folder can start downloading things. It's gotten so bad lately I'm even considering Qubes.

I use Firejail in the terminal as I am also concerned with the things you mentioned. bwrap is also a possibility. For simple usecases, they are not too intrusive. You can easily create a development profile that bans internet access and forbids read access to your important files. Then wrap CLI commands around that, or perhaps even the entire Bash session.

It's like a poorman's QubesOS. I also recommend setting up a userspace firewall like Little Snitch or OpenSnitch. Most malware requires Internet access to do harm. Those provide a good last line of defense. It's a shame the Unix model of giving coarse-grained access to user processes has not been patched. It's not that hard and it's a big security issue.