Skype, for example, can be run inside a container [1], allowing you to use it while hiding the rest of your system from the obfuscated and traffic-encrypted binary which no one knows what it does to your system.
It uses X11 forwarding for the GUI, and PulseAudio for the sound.
The thing that made me finally uninstall it (from everything) is when my phone OS (MIUI) informed me that Skype wanted to suddenly take a photo of me even though I hadn't touched the app for days.
This Skype use case really interests me a lot, as I have to use it professionally and do not trust this application at all and would like to limit it to a bare minimum: microphone, webcam, screen and one single folder for file exchange.
I never tried Docker, but I wonder, if this requirements can be achieved with SeLinux or AppArmor as they are supported by many distributions and are around longer than Docker?
Would be great to be able to tighten the corset around any non open-source application, to make sure it is not siphoning data.
I'll note that X11 has practically no security and that windows can read contents from other windows, if you happen to be worried about that attack. Essentially, anything that is displayed can be read by anything.
You'd need some form of "X11 firewall" to be secure.
