I don’t have any experience with Bubblewrap. Is it what people tend to use instead of its alternatives? Have you had a look at Firejail? I think it does what you are trying to achieve and has a lot of these preconfigured scripts for a variety of the applications you might use (they call them profiles). https://wiki.archlinux.org/title/Firejail From the archwiki:

Most users will not require any custom configuration and can proceed to #Usage.

Firejail uses profiles to set the security protections for each of the applications executed inside of it - you can find the default profiles in /etc/firejail/application.profile. Should you require custom profiles for applications not included, or wish to modify the defaults, you may place new rules or copies of the defaults in the ~/.config/firejail directory. You may have multiple custom profile files for a single application, and you may share the same profile file among several applications.

If firejail does not have a profile for a particular application, it uses its restrictive system-wide default profile. This can result in the application not functioning as desired, without first creating a custom and less restrictive profile.

It also has support for use in conjunction with Apparmor: https://wiki.archlinux.org/title/Firejail#Enable_AppArmor_support

Note: A lot of applications won’t have any read or write access anywhere but /home/$USER/Downloads. So one example from me would be that I copied the Firefox profile from /etc/firejail/firefox.local to /home/$USER/firejail/firefox.local and edited the latter to allow Firefox access to /home/$USER/Pictures for the sake of convenience when saving a picture.

Just my two cents in case you are not dead set on Bubblewrap.