The thing with AppImages is: it requires FUSE2 which doesn’t really get packaged/included by default anymore in a lot of places and the recommendation is “build on the most old and crusty distro you want to support” which just sounds like a nightmare in multiple ways :)
And with snaps the sandboxing only really works on Ubuntu and nowhere else last time I looked into it (then there is also the entire problem if you want to host your own repository/“storefront”).
So really the only universal sandboxing method that effectivly makes sense is Flatpak.
I would have guessed that Ubuntu would install it by default since its a very common way to get stuff from the internet (when in the terminal), but apparently not (the other option is wget which is most likely installed, but that uses a different way to get the stuff).
You should be able to install curl with sudo apt install curl
It only at most auto logs you into the display manager or more generally into login. Then you still need to get root access to modify anything from there. Login would still be based on user password/key/whatever.
Having read poetterings blog posts a bit and he explains that the TPM2 based encryption is entirely just for system resources (basically everything under / with exception of /home). For home he still “envisions” (its already possible and not really hard with sd-homed) that the encryption is based on the users passphrase/key/whatever and not unlockable by anyone else than the users passphrase/…
Chief, MS has multiple internal only Linux distros and publically they have CBL-Mariner and I think another that I forgot. They are mostly used with Azure. They really aren’t that much more different to what I know to any other (common) distro out there