For example, I'd like an easy way to run Firefox in a sandbox under Linux, without the overhead of running a full VM (which is just too resource intensive on my old, slow laptop), I'd like to be able to pull out files that Firefox downloads from the sandbox, and then delete the sandbox when I'm done. Also, Sandboxie can force particular apps to start sandboxed. All that is pretty easy to do from Sandboxie and is 99% of what I use Sandboxie for.
Firejail is probably what you want. I'd be wary of considering Docker as a jail - it does some isolation, but I've yet to see any serious effort or analysis of "safely run arbitrary code as root in docker and avoid escape" (the scenario being at least a full compromise of the app, with potentially an elevation to root in the container). Docker is "(shipping) container first" not "(CIA black site) container first".
Firejail isn't perfect - but it's at least designed to be a jail/sandbox.
There's also the possibility to use lxc via lxd - if you're running xorg you can forward x11 over ssh to the container (or vm). However access to xorg is problematic (eg shared clipboard, window/screen access).
Wayland supposedly does "everything x does" - but I don't know how you connect displays via the network.
But in the end (even though you requested "not vm") - I'd probably have a look at qubes os: https://www.qubes-os.org/
Afaik it mitigates the "shared xorg server" via using x-in-x nested servers (eg xephyr).
Also came across this, which appears to be a little better than "just" docker - but I'd probably still go with firejail or qubes os:
CentOS / RHEL has UID and GID mapping backported from the 4.x Linux kernel which podman supports. You can run as root in the container and still be remapped to a non-root user outside of it. If you want a locked desktop combine that with Guacamole docker images.
as already mentioned, Firejail https://firejail.wordpress.com/ is easy to use and was made at first to run Firefox in a sandbox. It has pretty neat options and can isolate the FS, make use of a temporary home etc.
LXC and LXD are system containers, which are similar to VMs but using Linux container facilities.
There is an entry-level guide at https://blog.simos.info/how-to-easily-run-graphics-accelerat... that describes how to setup a LXD container so that the GUI applications in the container appear on the host. Here, the GUI applications in the container are using the same X11 server as the host, therefore there is no effort for security isolation.
It is possible for those that are interested, to use features from `x11docker` (second X server, xpra, Xephyr) to provide security isolation with LXD containers.
For the Firefox use-case that you describe, you can setup Firefox and then take a snapshot of the container (`lxc snapshot ...`). Every time that you want to run Firefox, you can switch the container back to the snapshot state and start Firefox.
It's designed to be granular and programmable, so it's probably too low-level if you're looking for something like Sandboxie. I wonder if someone has published a set of rules that "just work", though…
Bubblewrap (https://github.com/containers/bubblewrap) on Wayland. You might have to make a chroot sort of environment for it for it to be convenient enough to use in practice unless you’re okay with exposing the (read-only) contents of /usr, for example, to the sandbox.
If you don't need a GUI then you can use Docker for basic sandboxing. It isn't a foolproof solution, but it's about as close as you are going to get without full virtualization.
For example, I'd like an easy way to run Firefox in a sandbox under Linux, without the overhead of running a full VM (which is just too resource intensive on my old, slow laptop), I'd like to be able to pull out files that Firefox downloads from the sandbox, and then delete the sandbox when I'm done. Also, Sandboxie can force particular apps to start sandboxed. All that is pretty easy to do from Sandboxie and is 99% of what I use Sandboxie for.