The only thing Electron can do is disable the (unprivileged) user name spaces component of their sandbox (preferably specifically, it's not super clear to me what other components --no-sandbox
disables, but there are other sandbox related flags so it's not as binary as the name suggests), by every other respect this is a packaging problem and the only "fix" is a package without the problem. By Joplin officially, that'd be the .deb which doesn't need --no-sandbox
because instead Joplin briefly runs as root and drops the root permissions once it's set up the other components (chromium-sandbox
has a SUID bit and is owned by root, meaning anything that runs it, runs it as root).
Debian doesn't have this functionality by default, Ubuntu has it but in a more restricted mode where AppArmor mediates it so some software can use it, I think RHEL doesn't come with this enabled by default since I remember having to enable it there to get e.g., Flatpaks to work, I could be wrong on this though since RHEL10 comes with Flatpaks by default, this was super specifically CentOS 7 at the time.
(
In a default or common use of Red Hat Enterprise Linux 7 unprivileged user namespaces are disabled by default, so local unprivileged users cannot abuse namespaces to grant themselves the CAP_NET_RAW capability and potentially elevate their privileges on the system.
)
Linus Torvalds himself has said that he doesn't like the API being used by unprivileged processes and considers it a mistake they're stuck with, so although appeal to authority isn't a solid logical paradigm, the authorities seem pretty consistent on this.
If a user disagrees, then they can re-enable the API, but it's disabled as a distribution policy, not a bug, Ubuntu knew what they were doing when they made this decision, as did RHEL.
Of course, Google only care about Chrome, which also installs as a native package without this problem, so it's difficult to expect progress when the people leading the underlying framework don't have a reason to care.
Regarding this specifically, AppImages are unsandboxed unless you use external tools like Firejail or similar to change that. No AppImage has sandboxing by default, Joplin or otherwise, the sandbox is specific to the Electron parts to defend against specific web exploits; the app itself is free to delete all your files if it wanted to though.