Sandbox bottles

The bottles is built with buildFHSEnv which uses bubblewrap under the hood. However it doesn’t not provide sandbox features as the Flatpak version which also uses bubblewrap. In addition, I can’t sandbox it with firejail since bubblewrap is used. Now I feel that the bottles package in Nixpkgs is in a predicament: it still needs to download lots of binaries from Internet on startup but lack the sandbox feature the flatpak package provides and remove the possibility to do it in another way.

I thought the best solution is providing similiar functions in buildFHSEnv as Flatpak. Looks like GitHub - nixpak/nixpak: Runtime sandboxing for Nix is a good choice but I don’t know how to make it work with buildFHSEnv.

Is it possible to set some rules as in firejail to sandbox the program?