Comment by bloomca
Isn't MSIX packaged apps on Windows basically the same?
They will even list all the capabilities before installing, and I believe it can handle auto updates outside the MS Store as well.
But I think the main issue is that you can't give granular permissions. I would like to make my own sandbox rules, like only enable a single domain for networking for the app, only allow specific folders, etc.
I don't think you can get this granularity on macOS/Windows right now.
Kernels don't understand TLS or HTTP level concepts and can't sandbox them indeed, it's a weakness for sure.
MSIX is integrated with the (new) Win32 sandboxing mechanism, yes. You can activate an app container by requesting one in the manifest. But that only works on the very latest Win11 and you'll definitely encounter bugs.