I am usually careful about what applications I install on my Mac, so I try to keep it safe for all kinds of uses, including banking. However, I feel that this might be a false sense of security.
The other day I was installing some plugins for my VsCode and IntelliJ setups and realized I had no idea how much access these random plugins have on my laptop. I understand plugins have access to my source code, but I doubt that access is limited to my project folder.
I understand I could be totally safe by using some VM virtualization, but I feel that is overkill. Is there simpler alternatives? How about just a different user in your machine? With a Mac though, that becomes unnecessarily complicated with having to establish an iCloud login for each account. What do folks do? Just trust everything and try to be careful?
I tried keeping a personal device for trading/bank use, but that is just not convenient. There must be a better way.
I sandbox using different machines and a KVM switch. That limits what domain the potential applications can reach.
Then I use pledge on OpenBSD to further limit what apps can do. This is the default for many apps on OpenBSD and they can't access anything other then the specified directory. Firejail used a few times, but optional security is no security at all. I played around with SELinux, but it seems to overcomplicate it.
The situation seems to be, that OpenBSD is the only system that limits what applications can do by default. Perhaps Linux systems or Mac will limit what apps can do in the future. OpenBSD has often been the first mover. As I get older, the "by default" is the way to go. I'm not a teenager anymore that can spend all afternoon toying around with the kernel configuration or xf86config. Obviously I can't use OpenBSD for everything, so I switch between systems.
Because they are physically different machines, an app can't break out of the VM. You'll want to block SSH though. This is a simple and cheap solution that requires only some discipline about what laptop you use for what and a very messy table (4+ laptops).
The machines will be compromised (pessimist view on security), but at least it would stick into one machine. OpenBSD takes security the most serious on kernel level, but X is still a security circus. The access applications have on default Linux, Windows or Mac is way to much for my liking.