Confining Firefox may be the most important thing you can do to improve
security on a desktop system....
As a basis I took some old profile from Ubuntu and added more
permissions to make it work.
This profile works very well. But it separates Thunderbird, you cannot
open mailto links with it. But in my mind, it is better to keep the data
of both apps separated. To avoid an attacker steal your email account
data and vice very.
Both, Firefox and Thunderbird want to load kernel modules.
I never looked, what kernel modules Firefox or TB need to load.
To me it´s a bit scary to allow them loading kernel modules.
I haven´t investigated this yet.
In this profile I allowed to access /sbin/modprobe.
The profile works with Leap 42.1 and its current Firefox.