You can use linux namespaces or a tool like bubblewrap to sandbox the process which makes it reasonably secure. However if you're running a GUI app that rendres to an X11 server all your security gains go out the window.