Comment by samus
The difficulty is the same as for current sandboxing efforts on desktop Linux though: most existing applications assume unrestricted access to user data. They have to be adapted or have to be granted unrestricted access. Otherwise users will simply not be willing/able to use the machine in secure ways.
The technologies has been there for decades, but is applicable to a greenfield setting only.
> The difficulty is the same as for current sandboxing efforts on desktop Linux though
You're right, that is a problem. However, the situation on Linux is even worse since you can't even nest sandboxes/containers in most real-world situations.