I am trying to sandbox all my applications by default using firejail. Firejail doesn't support snap applications.
It appears that by default if requested by a snap, snapd will grant the snap read/write access to the user's home directory. This means that by default, if there is a vulnerability exploited in a "sandboxed" snap application with network access, it would be trivial for an attacker to grab all the files under $HOME including GPG keys, SSH keys, and of course the user's documents and other files.
Doing some online research lead me to being able to do a snap disconnect <snap>:<plug interface> <snap>:<slot interface>
which in theory will block access to the home directory. Unfortunately this is an 'all or nothing' approach (no ability to define which folders in home to allow/deny) and must be applied to each snap individually after installation.
Is there a way to apply a "no $HOME access" policy by default to all snaps? If so, is there a way to allow access to some directories in $HOME while denying access to others? My understanding is that apparmor can't be used for this because of the way the snap containers are designed.
Alternate plan: Is there some trickery through which I could re-mount a portion of home (say /home/folderforsnaps) and trick the snaps into thinking that is the home directory?