One big thing for me over the last few years is containers, security confinement and sandboxes. It’s not a new thing, but in the Linux space a lot of interesting tooling around these technologies has appeared over the last years. One of them are Firejail, it’s a simple tool that can apply security constraints to an application. For example, I write this in the Markdown editor Abricotine now. All scary syscalls dropped, contained and in it’s own network namespace with no network access.