Firejail

For extra security, the use of Firejail gives you an added layer of protection. A sandboxed desktop.

Please note ensure you have set up Timeshift prior to use, or they do not play well together.

Introduction
Firejail is a very easy to use piece of software, initially developed to make Firefox more secure by isolating it (putting it in a sandbox) from the rest of your system. Firejail has developed beyond that & can be used simultaneously on many parts of your system. It is worth reading about on Firejail site (linked to above).

From the Github page:
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail is available in the repos. Install it using your synaptic package manager or from the terminal.
sudo apt install firejail

For single use simply prefix your command or application with firejail.
firejail firefox

To integrate Firejail into your whole desktop. Every application you launch will use the firejail sandbox if it is supported by default. To do this use the command
sudo firecfg

The terminal printout will list of all supported applications.

The firejail team also develops a graphical user interface for firejail called firetools. I've passed on this option, it is still Heath Robinson.

You can use the option –-net=none to ensure firejail does not allow any network access, example:
firejail –-net=none thunderbird

But that option will block local network access, such as access to shared folders. To still have local network access, but block the application from accessing the internet use option --protocol=unix. Example:
firejail --protocol=unix thunderbird