One project I'm keeping an eye on in Whonix's [sandbox-app-launcher][1],
which will run each application as a different user and provide a mechanism
for configuring each such user's permissions for
* Network access
* Webcam access
* Microphone access
* Shared storage access (read-only or read-write)
* Dynamic native code execution
effectively bringing to GNU the kind of sandboxing and and per-application
privacy settings currently available for Android and iOS.
[1]: https://github.com/madaidan/sandbox-app-launcher
