I feel a little uncomfortable about running some code “raw” on my machine, so I ended up writing a little “devshell” system to isolate projects inside their own containers. This also offers the benefit of very precise control over the build environment, of course.
At a lower level, I use full-disk LUKS encryption with an external USB key for 2FA, and Secure Boot. That’s getting pretty standard nowadays, though. And doesn’t address the most important attack vectors in a remote-first environment anyway.
