For all y'all Linux users: run your browsers in a container. You can isolate Firefox to just ~/downloads using Flatpak, it's really easy. Stops those pesky zero days from causing too much damage. Also everything just works.
I believe Flatpak is linux-only. There's a UI to edit Flatpak settings from KDE settings or you can use flatseal.
You can do tons of neat things with it. You can also cut off environment variables, cut off the x11 socket, only allow certain dbus channels, etc. You don't need a docker container or anything, Flatpak is a container technology.
Zero-day exploits for web browsers routinely compromise the entire system, even on MacOS. Even without admin access, the exploit can do significant harm.
The native permission system still works for limiting filesystem access. As for the kinds of things you're describing, I don't think containerization is an effective enough countermeasure. At least definitely not Docker, which includes a root daemon that can be made to run arbitrary commands. A VM, possibly with some of the host integration features disabled, is a better option but is more costly in terms of setup, usability, and power usage. For many, the cost far exceed the risk.
