The bottles is built with buildFHSEnv which uses bubblewrap under the hood. However it doesn’t not provide sandbox features as the Flatpak version which also uses bubblewrap. In addition, I can’t sandbox it with firejail since bubblewrap is used. Now I feel that the bottles package in Nixpkgs is in a predicament: it still needs to download lots of binaries from Internet on startup but lack the sandbox feature the flatpak package provides and remove the possibility to do it in another way.
I thought the best solution is providing similiar functions in buildFHSEnv as Flatpak. Looks like GitHub - nixpak/nixpak: Runtime sandboxing for Nix is a good choice but I don’t know how to make it work with buildFHSEnv.
Is it possible to set some rules as in firejail to sandbox the program?