What I'd like to know is how whether it's possible run GUI applications in their own containers. From what I understand about X, if a GUI app runs in the same context as the DE, it will have access to all other windows, the clipboard, etc.
That makes me think that Xephyr is mandatory in order to run an app in a container, but I haven't found a satisfactorily easy way to do so. Would systemd be the easy solution I'm looking for?
Firejail, mentioned elsewhere in the thread, should do that correctly. Personally though I've been doing docker (substitute with systemd-nspawn or whatever you like) with xpra; not sure it's as secure, but it should block accidental snooping while still supporting clipboard transfers.
It appears that the relevant developers are pushing towards using Wayland for more secure remote windowing, but I do not know what state it's in.
That makes me think that Xephyr is mandatory in order to run an app in a container, but I haven't found a satisfactorily easy way to do so. Would systemd be the easy solution I'm looking for?