Have a stronger firejail sandbox profile by default

[Summertime]

The current template for the firejail sandbox is notably inadequate for protection (e.g. you can muck with bash aliases, change ~/bin, etc etc, its not a sandbox in the current form)

I'm exploring a more sensible default at netblue30/firejail#1790 , at the very least it looks like the profile will need to be dynamically generated, and if I'm not misunderstanding, will either need to

• mount folders at certain locations (could mount over the home directory ala firejail --private=dir, and mount the app directory at a fixed location, I think?)
• walk the path from the nearest whitelist/noblacklist folder, to the app folder, whitelisting and blacklisting along the way, as in my example at netblue30/firejail#1790

this still will leave the X11 loophole untouched: while wayland will fix this, its probably not safe to assume that wayland is running 100% of the time. I've tried to set up xpra (on ubuntu), but it seems to not be just a simple installation to get it working with firejail, I havn't looked further however