Firejail: difference with LXC

Hello, is there a security difference between firejail and LXC?

Yes. Usage: firejail is easyer for new users. Security: (example) disable-programs.inc, ...

Is firejail using LXC?

No, but both use the same kernel functions such as Namespaces.

if the app is untrusted / not open source

Not OpenSoure != untrusted (My opinion)

If it is realy untrusted (e.g. malware), you should not execute it at all. If you do have to, you should do it in a VM.

firejail does not prevent keyloggers logging keys in the background and spywares taking screenshots of the entire desktop

You can use X11 isolation with --x11=xephyr for example.

Thanks, I consider closed source software untrusted since there could be a spyware hidden but it could also happen for open source software that is not in an official Linux distribution package, so it is better to run it in a container (other people mentioned it here: https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/). I think it is enough to run an untrusted software in LXC using VNC, which will be more lightweight than a VM.
Good to know the X11 isolation with --x11=xephyr, I guess this provides the same security as LXC using VNC, which provides X11 isolation too?
What do you mean by "Security: (example) disable-programs.inc"?

What do you mean by "Security: (example) disable-programs.inc"?

If you allow access to you real $HOME, firejail has a long list of blacklists/read-only paths for files/dirs where it make sense to be read-only in the sandbox (like .bashrc) or to be blacklisted (= inaccessible) (like ~/.mozilla).

I noticed that by default firejail allows access to home directory, compared to LXC. That's a good difference to have in mind when using untrusted apps. But it can be fixed by using --private and copying the untrusted app in /tmp folder.

I'm closing here due to inactivity, please fell free to reopen if you have more questions.