I know that’s not the “real solution” but as weak as access control is in current OSs we can only hope to hide our data from other apps. You say install apps you don’t trust as flatpak. There is an entire distro that’s not installed and can’t be installed as flatpak and is at risk of a supply chain attack, just clinging on good faith and time availability of volunteers. You may install Code as flatpak and a handful more apps, that’s it. Sandboxing everything else is obviously not the best way to protect this one thing and it’s not feasible anyway. Encrypting is still a workaround, but a more realistic one. What you want is to forbid access to your, say, journal, to every app but Logseq. Cryptomator won’t do that. If you had a physical journal you would have stored it under lock and key, not chained your entire family to the walls or written the thing in code. That’s what’s sorely lacking in our security models. Nevertheless, my issue is with the false message many answers convey, not only here but in similar forums, that you’re safe with Cryptomator and alikes. You’re safer, yes, less prone to some kind of attacks, but given the false sense of security that slogans like “you own your data, your data is local, Google cannot spy on you” it’s better to make it crystal clear what kind of attacks you still have to be wary of. Honestly, I believe many people is not aware of the risk of supply chain attacks they face by going all local, all TUI and stuff like that, trusting on an increasing number of increasingly larger open ecosystems, in a very naive way, just because FAANG are evil.