The user amending PATH is not great as this would be ignored by (background) applications running other applications.
For example update-flashplugin-nonfree run by postinst would use /usr/bin/gpg rather than /use/local/bin/gpg because it will not have the same PATH setting as the user. Etc. > Though it would behave differently than expected when the tool is not installed (launching firejail instead of erroring with "No such file ..."). The wrappers could just be minimal scripts that would redirect to the main wrapper. And the main wrapper could would emulate acting as expected if the tool is not installed. firejail + binary installed: -> start firejailed binary firejail + binary not installed: -> not use firejail and just act as if there was no wrapper. Example /usr/local/bin/gpg would do... exec /usr/bin/gpg "$@" uwt ( https://github.com/Whonix/uwt ) wrappers act like this. (Additionally, it is handling command-not-found.) I am not sure that is a perfect solution yet. It would not cover stackable wrappers. I.e. I would not know yet how to automatically add torsocks (uwt) as well as firejail at the same time. Perhaps a generic stackable wrapper mechanism is required? Perhaps this is a bigger, general discussion for debian-devel?