it seems to work fairly well? But I just started playing with bwrap this weekend. I do wish bwrap could be told "put the program in this pre-prepared network namespace" because accessing unsecured local dev servers could also be an issue.
I had this idea of having toolbox+custom user for each project - that way it would be "simple" to have isolated environments, but it does lead to a lot of bloat. And I do think it is a naive solution.
I think a combination of custom users + a whole bunch of sandboxing is exactly what you'd get out of systemd-nspawn if you're willing to write the config: https://wiki.archlinux.org/title/Systemd-nspawn
bwrap seems a lot easier but if you want more control (or, for instance, want to run a Ubuntu basis because that's what a lot of games are compiled against), systemd-nspawn can be quite powerful.
