The best approach is to not run untrusted software. Second best is to be a security expert and run it under the control of a debugger and analyze each instruction before it runs.

This is probably not what you wanted to hear, but every sandbox has flaws and software that is written by someone aware of those flaws can conceivably exploit them.

Tools like firejail are often useful early to mid software life cycle… before exploits become common for them. But there eventually comes a point where a zero day exploit is released and your peace of mind leads you to think you are safe. Their utility varies over time, and it is the nature of zero day exploits that they surprise you.

I think flatpak is a configuration management tool… not a security sandbox… but really the question comes back to what is your use case… do you want to become a security consultant, or are you just looking for a bit more protection from common exploits? There is no magic bullet… even dealing with the minutiae of locking down specific system calls will not protect you perfectly yet it can significantly increase the hassle of onboarding new software. Simply relying on signed software packages most of the can reduce the chance of encountering malicious software significantly over using unsigned packages if you are an ordinary computer user… and getting wrapped up in security issues when you are not aiming to be an expert can just add overhead to your life without making you significantly safer. Beware of the rabbit hole… it can feed your hypochondria rather than protect you if you let the wolf in through the front door and hope the locks scattered around will stop it from harming you.