Confining Firefox may be the most important thing you can do to improve security on a desktop system.... As a basis I took some old profile from Ubuntu and added more permissions to make it work. This profile works very well. But it separates Thunderbird, you cannot open mailto links with it. But in my mind, it is better to keep the data of both apps separated. To avoid an attacker steal your email account data and vice very. Both, Firefox and Thunderbird want to load kernel modules. I never looked, what kernel modules Firefox or TB need to load. To me it´s a bit scary to allow them loading kernel modules. I haven´t investigated this yet. In this profile I allowed to access /sbin/modprobe. The profile works with Leap 42.1 and its current Firefox.