Are Wine apps ran isolated? Because we basically have no viruses on Linux, but I imagine running random of course legally obtained games may be very risky
No, the Linux filesystem is usually mounted as Z: in wine. Sandboxing through e.g. flatpak/bubblewrap with permissions set to only allow access to ~/Games should protect from many viruses.
Wine does not sandbox in any way at all. When run under Wine, a Windows app can do anything your user can. Wine does not (and cannot) stop a Windows app directly making native syscalls, messing with your files, altering your startup scripts, or doing other nasty things.
You need to use AppArmor, SELinux or some type of virtual machine if you want to properly sandbox Windows apps.
Note that the winetricks sandbox verb merely removes the desktop integration and Z: drive symlinks and is not a true sandbox. It protects against errors rather than malice. It’s useful for, e.g., keeping games from saving their settings in random subdirectories of your home directory.
Are Wine apps ran isolated? Because we basically have no viruses on Linux, but I imagine running random of course legally obtained games may be very risky
No, the Linux filesystem is usually mounted as Z: in wine. Sandboxing through e.g. flatpak/bubblewrap with permissions set to only allow access to ~/Games should protect from many viruses.
Yes, but the virus will still run and make a damage around.
See https://wiki.winehq.org/FAQ#How_good_is_Wine_at_sandboxing_Windows_apps.3F from their FAQ
So yes, Bottles Flatpak for the win!