It might work but it’s untested and unsupported. It’s not finished yet, even for Debian.
No. This isn’t an individual sandbox. All userspace processes are confined under it. Any process sourcing .bashrc will be confined under it. Even init will be confined under it.
Full read/write access to the home directory is required. Otherwise, you wouldn’t be able to access your own home directory. System-wide sandboxing framework - sandbox-app-launcher will prevent apps from accessing your files though by running each app in its own restrictive sandbox.