I want to sandbox things like Steam, Discord and even firefox and I see bubblwrap getting recommended a lot as the preferred sandboxing tool but I'm hardpressed on how to actually use it. I don't know what to enable and what not to.
PS. Please don't recommend Flatpak, I'm aware Flatpak uses bwrap but I want to avoid Flatpak unless absolute necessary. I don't have anything against Flatpak, just personal preference :D.
I don't have any experience with Bubblewrap. Is it what people tend to use instead of its alternatives?
Have you had a look at Firejail? I think it does what you are trying to achieve and has a lot of these preconfigured scripts for a variety of the applications you might use (they call them profiles).
https://wiki.archlinux.org/title/Firejail
From the archwiki:
Most users will not require any custom configuration and can proceed to #Usage.
Firejail uses profiles to set the security protections for each of the applications executed inside of it - you can find the default profiles in /etc/firejail/application.profile. Should you require custom profiles for applications not included, or wish to modify the defaults, you may place new rules or copies of the defaults in the ~/.config/firejail directory. You may have multiple custom profile files for a single application, and you may share the same profile file among several applications.
If firejail does not have a profile for a particular application, it uses its restrictive system-wide default profile. This can result in the application not functioning as desired, without first creating a custom and less restrictive profile.
Note: A lot of applications won't have any read or write access anywhere but /home/$USER/Downloads. So one example from me would be that I copied the Firefox profile from /etc/firejail/firefox.local to /home/$USER/firejail/firefox.local and edited the latter to allow Firefox access to /home/$USER/Pictures for the sake of convenience when saving a picture.
Just my two cents in case you are not dead set on Bubblewrap.