Firejail can make something noexec but it shouldn’t be able to make something exec again*. Which means Browser must start off exec. Should it be read-only before login, or is it enough to be read-only to the sandboxed Browser itself?
*Except it can. Just playing around, with noexec bind mount on browser/data,
user@host:~$ ./browser/data/ok bash: ./browser/data/ok: Permission denied user@host:~$ firejail --quiet --overlay-tmpfs ./browser/data/ok ok
The filesystem is sandboxed now but firejail --overlay-tmpfs ignores the bind mounts completely. Actually it ignores regular mounts too. I guess it does something like a bind mount on / instead of an rbind. (It also doesn’t stack, which may be an issue if one sandboxed application wants to launch another one.)
Maybe Tor Browser could be run normally with a disposable overlay, whitelisting Downloads etc.
If you’re running in the default private mode then maybe you don’t want anything else to stick around anyway.
Unfortunately user settings changed through the browser are stored in prefs.js, along with other settings. But they can be manually pulled out and set in user.js, and probably not changed much. But this might be too much for a normal user.
Bookmarks unfortunately are in places.sqlite which is rather opaque. They might be rewritten into tracking redirects or proxies with typo or homographic domains. Apparently browser.places.importBookmarksHTML and browser.bookmarks.autoExportHTML allow usage of plain html but I haven’t tried.
Search engines are in a mozlz4 file to prevent tampering by malware, ironically making it very difficult for a user to detect tampering.