My code editor works in a sandbox. It's difficult because Linux doesn't provide it and one has to write it manually using shell scripts, random utilities. For example, I had also to write a limited FUSE emulation of /proc to allow code editor work without access to real /proc which contains lot of unnecessary information.

And if it's a "professional" setting, the company could hire a part-time developer for writing the sandbox.

could you share with us those utilities? I've tried doing the same with AppArmor, but I ended up having endless warnings and weird bugs.

Good luck selling that to thousands of managers. That's my point. It's easy to list things that should be done. It's harder to get them greenlit.