Systemd has some pretty nice sandboxing settings built in if you (like me) prefer to not use docker-like containers.

With stuff like RootImage and the various isolation settings you can have a configurably sandboxed container right in systemd.

Or just use systemd-nspawn if you want it more preconfigured.