Windows struggles with feature adoption though. Win11 helped with the TPM requirement and features on by default, but MSIX apps are still underrepresented so userspace sandboxing is weaker. Windows virtualization-based security is great though, imo it's a significant advantage over Android
MSIX doesn't implement sandboxing. Apps can opt in to being sandboxed via that tech, but you can also write totally unsandboxed apps. There's also a very light weight app container mode called (internally) Helium which just redirects some filesystem and registry stuff, but the goal is to make uninstalls clean, not security.
The Windows kernel does offer an impressive number of options to lock down processes. Look at the Chrome sandbox code some time. The Windows API is huge but you can really lock it down a lot. The macOS sandbox architecture is, however, the best. The Linux approach is sadly in third place.
App silos are pretty neat, I also find it kind of shameful that server silos are locked down to server SKUs. I would figure there could be some significant benefit to using them in browser renderer processes.
I think they recently added a way to opt out of it entirely. That said, it does very little and because it's not a sandbox it's easy to 'escape':
• Copy an EXE to %TEMP% and run it from there.
• Use a Win32 API flag to start a process (of any path) outside the app container.
There are only a few cases where Helium is an issue and they're all easy to work around. One example is writing a log file to your app private UserData directory and then opening Notepad on it. If you do it the 'naive' way then Notepad won't be able to find it, because you'll pass a redirected path which it can't see. The fix is simply to resolve the redirect before passing the argument to Notepad using a Win32 API call.
I know we talked about Conveyor a few days ago so I'll note here that if you package a JVM app with it then the %LOCALAPPDATA% and %APPDATA% environment variables are rewritten to their target locations automatically, so as long as you use them to decide where to write app private files then their paths will be visible to other apps, avoiding the Notepad issue. This doesn't apply to native or Electron apps though, at least not at this time.
