And even then, most games are available on multiple platforms, for similar prices. So you can get the same game from Steam, GOG, or EGS in many cases, plus all of the stores that sell Steam keys (and Steam probably doesn’t get a cut of those sales).

That makes no sense, surely everyone has invested in green energy through workplace retirement plans, no?

I’ve thought about this idea for my own project, and my best solution is to have a network of trust where people rely on curation from their peers and thus only see the content their peers have approved.

The main benefit is also the main downside: content you disagree with is still there, you just don’t see it. That means there could absolutely be pockets of CSAM and other content on the network, but your average user wouldn’t have that on their system since they only store curated content.

I’m not sure how I feel about that, but I think it’s the best you can do without centralized moderation.

Sure, but those will usually be pieces of an app on the same host, not whole apps. Like for an inventory management app, you might have the auth server and its database on one host, the CRUD app and its database on another, and the report server, its database, and a replica of the CRUD db on another. And I use the term “host” broadly enough to include VMs on the same physical hardware. And these hosts will have restricted communication between each other.

At least, that’s how I’ve seen it done.

Self-hosters will generally run multiple full apps on one host. It’s a different setup.

You shouldn’t have any user home for your services, you shouldn’t even allow them to login at all. They should only have group access to resources they need, and containers should restrict what directories they have access to.

Companies don’t typically host multiple containers on the same host. So having a different user for them is less important than securing the connection between machines, since a given biat isn’t particularly interesting. Attackers will still try to break out, so they have a backup.

As a self-hoster, you typically do the opposite. You run multiple services on the same host, and the internal network isn’t particularly secure. So you should be focusing more on mitigating issues, and having each service run as an unprivileged user is one fairly easy way to do that.

You can run it rootful, then it behaves just like Docker.