Sailfish OS 3: app isolation and permissions

it is simple: no isolation at all, only some system apps data is restricted for everyone except special "privileged" unix group

Yes, pretty much what @coderus says. And that's actually not that big of a problem, as long as you trust the app authors & most Linux distros operate the same way (well, with the difference that all software is built on distro infrastructure from source, so any outright malware is easy to spot; this is harder to do on Sailfish OS as both Jolla Store and OpenRepo only support uploading of binary packages).

Also, proper secure sandboxing is pretty hard to do, especially if you want to avoid each any every app having to take it into account. Anyone who ever developed an app for the Nokia N9 will tell you how bad job they did at this and how big pain in the ass the totally broken Aegis platform security system was. Similar sandboxing attempts at Ubuntu Touch before Canonical dropped it were not much better (an image viewer that can't read images from the SD card - unless you import them to the app one by one!).

Though, things are changing in this regard with Flatpak applications, that provide some degree of sandboxing in a transparent manner. And while Flatpak developers still say that security is not the main aim at the moment, it does provide some isolation. And hopefully due to yet another heroic effort of our one any only @rinigus, we might be able to make use of this on Sailfish OS as well. :)

@MartinK it's so funny as some have argued it's the security of flatpaks that is bad to have them on sfos, just install random shit from openrepos kek

I presume that selinux would be an answer for such isolation. Flatpaks can help and they are very close.