nomeata, I have switched from #nixos containers to a relatively simple bubblewrap script to isolate my home directory from possibly malicious stuff that could run as I am developing. It's a bit ad-hoc and not a very thorough protection, but convenient enough that I might get in the habit.
https://www.joachim-breitner.de/blog/812-Convenient_sandboxed_development_environment