Comment by tremon
I want to craft an environment where any program trying to read f.ex. anything inside ~/.ssh is automatically denied
That requires a MAC security model like apparmor [0] or selinux [1]. Those can deny filesystem access based on process environment data, such as the executable path or its security context. But these require the access rules to be enumerated externally, whereas landlock is about an application voluntarily limiting itself -- or limiting its children: e.g. it would be a very good idea for npm to restrict the scope of package post-install scripts to only the npm cache/build tree.
It seems that this software is well-positioned for us to write application launchers
Like OpenBSD's pledge[2], this API is primarily meant for application writers, not launchers. But where the Openbsd base system is maintained as a whole by the same group of people, Linux is a hodgepodge of different distributions using various software to construct a complete system. This means it's going to take a long while before landlock will reach anywhere close to the same coverage that pledge already has in OpenBSD. In the meantime, wrappers/launchers is the best that you can do on Linux.
[0] https://en.opensuse.org/SDB:AppArmor_geeks#Anatomy_of_a_prof...
[1] https://manpages.opensuse.org/Tumbleweed/selinux-policy-doc/...