I’ve used nix-bundle (AppImage variant) for similar needs in the last. What are the pros/cons and comparison?
It looks like it’s able to share the /nix/store with the host so it’s more efficient on disk and also tries to sandbox the executable more tightly.