Yeah, it's too hard to just `useradd -m name` a new user, maybe set default acl once via setfacl -m d:u:main-user:rwx /home/name for easier file sharing with the main desktop user account, and `sudo su - name` to it, and run whatever less trusted apps need to run under that user account from then on, mostly isolated from the rest of the [file]system.

Distros clearly don't allow this and none has this feature or these commands preinstalled by default, nor they are built to be multi-user OSes. :D

Fedora (and I think all the RHEL family) comes with SE Linux by default. Although I'm not that familiar with it (I tend to disable it more often than not) it seems to me like it's addressing precisely that.

It can't address that when it's disabled, and since it's not a good tool of addressing the issue, it stays disabled

selinux isn't used in any meaningful way for desktop software.

The actual solution in that space is Flatpak.