A recent email exchange with @JuvenalUrbino recalled to mind a rather neat way to do browser "sandboxing". It's not a new idea (Android does this for all its apps after all), but, this is how we used to isolate programs back in the days when virtualization meant running Bochs instances. I present:
the Poor Man's Browser Sandboxing
You can use the same technique for other large Xorg programs.