Android's Multiple Users feature does exactly this. Multiple users accounts with all user data completely sandboxed and restricted to each user. All user data is cryptographically protected on storage devices.

The actual SE filesystem available to a logged in user is pretty complicated. But the short story is that user-data is completely isolated. Presumably application binaries (which require digital signatures by default) are shared; although the "installed" state is not. Successive releases of Android have restricted access to any legacy "shared" data on the device (media folders particularly; pictures and video taken by the camera device have been strongly protected since Forever).

Verified checksums on a blockchain are only useful if they are verified by some provider who associates a blockchain ID with a real-world identity. Not sure what "blockchain" really adds. If anyone can create a blockchain ID, then "verification" doesn't really provide useful information.

> Multiple users accounts with all user data completely sandboxed and restricted to each user.

User data and user programs. Clean installation kind of user programs.

> Verified checksums on a blockchain are only useful if they are verified by some provider who associates a blockchain ID with a real-world identity.

Nix associates a unique id to each program version or package or config file. The verification happens on the Nix package manager.

The user uploads his exact config of OS somewhere, in his own home server, at a goverment server, at AWS, on a blockchain, somewhere. A blockchain seems like the best solution to me.