Familiar is a big word, but yes, this is the option I was talking about
(never tried it though).
Exactly, the question is whether the sandbox is reliable or not. After all,
it's all code, and yet, some things are not possible if the permissions don't
allow it.
It seems it works with something like root access (namespaces) ans something
that reduces the attack surface on the kernel by filtering stuff.
It's most likely very hard to break, and most websites have other thing to do
than invest code to break through computers anyway.
Because for some code being able to break sudo... Well it seems it's not yet
possible :
https://arstechnica.com/security/2015/08/dram-bitflipping-exploit-for-attacking-pcs-just-add-javascript/
About other ways JS can be a threat:
https://arstechnica.com/security/2015/08/dram-bitflipping-exploit-for-attacking-pcs-just-add-javascript/
http://bestsecuritysearch.com/malicious-javascript-js-files-endanger-pc-security/
XSS is harder to understand quickly for me, but it seems it all comes down to
executing some malicious JS file at some point.
And since never (ever) running JS isn't an option for most users, sandboxing
limits the damage. The Firejail option is immensely better since it's not the
/Home folder being exposed anymore, but a tiny folder.
So even running JS at all times could be "safe" (of course if one doesn't
care about tracking).
But the browser (login info, bookmarks...) are still at risk though.