Segmentation of apps through VMs/Containers on Debian

Hi PG, I’m slowly moving untrusted apps to containers or VMs to limit their interaction with my documents on my personal system. I have a couple VMs in mind (one for each app). Having a new VM for each untrusted app becomes a hassle (and already is one). I know QubesOS solves this, but I would like to see how much of this can be done on a Debian-based system. To provide more context: * I use KVM/Qemu for virtualization so it would be through that * I also use flatpaks, so this use case is for apps that are in AppImage form (not trying to use firejail for this - due to high SUID) and for apps that are binaries * I would say my case is similar to “App Qube” from QubesOS * I could use containers, as I have a hunch it will be less file size than a full-on debian VM. However, I will need to enable vnc or RDP on the container to access it. * These apps are crucial for personal tasks, so I won’t be able to just stop using them. Has anyone dealt with this niche use case before? If so, how did you end up segmenting your system?