Neovim

You can sandbox the neovim appimage with AM and then it will ask you what locations you want to give access to. https://github.com/ivan-hc/AM

am -i nvim

am --sandbox nvim

If you want to go the "packaging way", you could use nix's nixCats-nvim to make a fully hermetic nvim installation where you track the origin of all the dependencies (LSPs too) and plugins, all with receipts and hashes and all the good stuff of a reproducible build system. The security industry likes reproducible build systems because there's only one way you can go from source to the artifact.

Then, you package that in e.g. a docker container (which nix can build for you, too) and ship where you need it.

there's already official appimages for neovim, I use them (but not with firejail) and they work fine. but the lsp stuff is all installed outside, my guess is it'd be really annoying to mantain a custom compiled appimage

the best option is probably to just run neovim inside a docker container, you can then mount the directories every time you run a neovim container (~/.config/nvim, ~/.local/share/nvim, optionally .local/state/nvim and your undodir/undofile, there may be more I'm not sure).

assuming you want to isolate your home directory, what gets annoying is giving it access to only the code you're editing, I've yet to try this but my next plan is to give it read access to $HOME, then read/write access to the neovim dirs, and then take an argument to mount the project directory

some other options which I also haven't tried are

• distrobox, which just creates containers as well but by default wants to mount your entire homedir inside them
• devcontainers
• lspcontainers which isolate the LSP binaries themselves
• LXC/LXD/Incus containers which behave a bit different from docker containers, could be worth looking into