Absolutely, seccomp is also an unprivileged sandboxing mechanism in Linux. It does have the drawback however that the policies are defined in terms of system call numbers and their (register value) arguments, which complicates things, as it is a moving target.

The problem was also recently discussed at https://lssna2025.sched.com/event/1zam9/handling-new-syscall...