Linux

I wouldn't use it for security, use VMs if you need isolation.

I used Distrobox for various dev projects on Fedora Atomic and it worked great for that. I did a separate homedir mainly just to avoid dumping a bunch of crap into my real home but definitely have the expectation that anything you install has full access to the system.

I run FreeCAD via Distrobox as well since the flatpak performance was pretty bad and it's wayyyy faster which is nice and preferable to rpm-ostree in my instance.

It works well when you want to install software that is not compatible with your distro, but it is not a great security measure since it integrates with your host system instead of acting as a sandbox.

Isolation and sandboxing are not the main aims of the project, on the contrary it aims to tightly integrate the container with the host. The container will have complete access to your home, pen drive, and so on, so do not expect it to be highly sandboxed like a plain docker/podman container or a Flatpak.

I recommend you doing so, but not as a security measure, more of so as a "keeping everything organised"-measure.

I like to keep my host OS clean and install everything containerised

If they require weird install scripts you don't want to install on your system, then do not install it with Distrobox either. For those cases you don't trust the weird install script, I recommend to use a Virtual Machine; if you really really need the program.

distrobox is ok but the mapping of the home directory only sets ~ to another directory, it doesn't map the new home directory to a new volume in the container to replace your home directory which i thought was odd

By default it will break out many things. I use db as an extra layer of containers in addition to a python venv with most AI stuff. I also use it to get the Arch AUR on Fedora too.

Best advice I can give is to mess with your user name, groups, and SELinux context if you really want to know what is happening where and how. Also have a look at how Fedora Silverblue does bashrc for the toolbox command and start with something similar. Come up with a solid scheme for saving and searching your terminal commands history too.

Sure, or containers, e.g. Docker/Podman, especially if there is a Web API available.

That being said, whatever you do, in fine it's about trust. What you are installing can cause damage so IMHO it's more about keeping things manageable while having your actually important data (not programs, downloaded content, etc but rather things you did yourself, e.g. written documents, sketches, configuration files, prototypes, photos, etc) safe even when the system itself is broken regardless of how and why.