There are three main categories of entry into a device via zero-days: WhatsApp/Signal, SMS/MMS, and Firefox/Chrome/Safari. If these can be isolated, entering a device could become harder.
For all y'all Linux users: run your browsers in a container. You can isolate Firefox to just ~/downloads using Flatpak, it's really easy. Stops those pesky zero days from causing too much damage. Also everything just works.
I believe Flatpak is linux-only. There's a UI to edit Flatpak settings from KDE settings or you can use flatseal.
You can do tons of neat things with it. You can also cut off environment variables, cut off the x11 socket, only allow certain dbus channels, etc. You don't need a docker container or anything, Flatpak is a container technology.
Zero-day exploits for web browsers routinely compromise the entire system, even on MacOS. Even without admin access, the exploit can do significant harm.
The native permission system still works for limiting filesystem access. As for the kinds of things you're describing, I don't think containerization is an effective enough countermeasure. At least definitely not Docker, which includes a root daemon that can be made to run arbitrary commands. A VM, possibly with some of the host integration features disabled, is a better option but is more costly in terms of setup, usability, and power usage. For many, the cost far exceed the risk.
I already have two secure conclaves in my phone, and they're already used up for other apps, e.g. finance apps, etc. One of them uses Work Profile and the other uses Knox. I don't think that more such regions are allowed on non-rooted Android.
As for iOS, to my knowledge it doesn't allow for any such app segregation.
In general, we need stronger per-app isolation such that a zero-day affecting one app doesn't grant any access to anything else.
