My current setup is a halfway between insanely secure and functionally useless, so take this with a grain of salt;

SELinux on a debian LTS host, VM to something similarly secure (I use arch to try n get the debian LTS stability + arch quick patches but i might be wrong), hosting as s new user per app a wine podman container using x11docker’d xpra2-xwayland option, and gpu pass through it all.

This gives pretty fine grain control to each individual feature your app is allowed to run, and numerous layers in case like 3 of them all concurrently have security flaws.

Eventually I want to look into the feasibility of sliding g-visor in the podman layer, but I figured I should probably make sure I spend some time actually plating games lol