Check out qubes os if you don't want to trust your kernel to enforce your mandatory access controls (you DO only allow certain applications/users/groups/roles/OS's/Hypervisors/etc... to do certain things, DON'T YOU??). Xen is a smaller attack surface, and depending on how much of a pain in the ass you consider having all of your files stolen and deleted being, there are many options for locking it down quite a lot. XSM-Flask if you are too paranoid, Hypersafe for control flow attacks + invariant violation detection tools for non-control data attacks over nested hypervisors if you are resolute.

>Your proposal is OK if accessing sensitive information is something you only do occasionally, but it's not very practical to switch users completely if you deal with sensitive information often, which many people do.

    $ sudo -u banking gnucash &
    $ firefox &

Done. My banking files and my Firefox session are now separated.

Interestingly, you may have just fucked yourself, because the sudo session is maintained whilst launching Firefox.

If we create a script 1:

   #!/bin/sh
   echo "I'm doing something secure"

And then script 2:

   #!/bin/sh
   echo "I'm doing something insecure".
   sudo echo "I'm doing something malicious".

Then run:

  $ sudo ./script1.sh; ./script2.sh

Looks like Firefox has access to your banking user :)

Not if sudo is set to only allow gnucash! :-)

And for the 99.7% of users in the real world who drive their computers using a GUI and not a command line? Or those who do use a command line but aren't sufficiently competent with system administration to reliably get sudo-based access control right every time?