Linux has lots of sandboxing features. Many Linux distros only use them minimally because the value proposition is poor: Most distros don't ship closed-source applications and in the last 30 years there have only ever been a tiny number of backdoored open source packages. OTOH, sandboxing tends to break the kind of complex workflows that users are fond of.
Another angle to point out is that some distros do bake in more protective features; consider Fedora using SELinux. Then, again, keep considering SELinux and observe how many things it breaks the moment you set a single foot off the trodden path.
> there have only ever been a tiny number of backdoored open source packages
First, these packages might contain vulnerabilities, second, I want to be able to run also third-party software including closed-source software, Windows software and random scripts from Github. If you restrict yourself to official repositories, then you cannot do much useful work.
> consider Fedora using SELinux.
Because SELinux is not what I want. I want a GUI with checkboxes like "Allow playing sound" or "Allow reading CPU model" rather than describing access to every individual file.
The Linux sandboxing features are mostly quite poor tbh. Compare to Apple's stack (if you include the private SBPL) and it doesn't come close. Apple is way ahead of both Windows and Linux when it comes to pervasive sandboxing.
I'm not super familiar with Darwin, but I am skeptical on the grounds that macOS doesn't have containers, which are constructed from the same primitives as a sandbox.
It does indeed have something similar to containers, built on their sandboxing tech rather than namespaces. Take a look in ~/Library/Containers to see the Apple equivalent.
It’s not about backdoors. A good chunk of linux userspace is written in unsafe languages (IMO, for no good reason). A well-intentioned buggy program opening bad-intentioned data is enough to cause trouble, and for some reason, no one seems to care about it at all. Linux distros has no security whatsoever, by any practical definition.
The issue is often not the individual features, but delivering them as a consistent, usable package. Though Flatpak is getting there, but it's a long road, you don't just need some kernel sandboxing features, but also toolkit extensions to make files available to sandboxed applications (portals), etc.
Many Linux distros only use them minimally because the value proposition is poor: Most distros don't ship closed-source applications
That's kind of putting your head in the sand. A lot of users need closed-source applications for work, such as Slack, Zoom, Chrome, Obsidian, JetBrains IDEs (the non-open source flavors), or for fun (Games, Steam, Spotify). Some have web apps, but the generally work less well.
a tiny number of backdoored open source packages
Backdoored applications are not the only issue. Also non-backdoored applications with vulnerabilities, basically any client, etc. The saving grace of the Linux desktop is that it's not much of an interesting target due to relatively low popularity. Otherwise actors would be hunting for vulnerabilities in RSS readers, chat clients, etc. (remember that the surface is not only the application itself, but also any image/video decoding libraries, etc.).
OTOH, sandboxing tends to break the kind of complex workflows that users are fond of.
That's an issue, especially for Linux power users. For most users, sandboxing can be done without too many issues (see e.g. sandboxed Mac apps).
Another angle to point out is that some distros do bake in more protective features; consider Fedora using SELinux. Then, again, keep considering SELinux and observe how many things it breaks the moment you set a single foot off the trodden path.