How to limit user access to selected applications?

If you really want to restrict access to applications for some user(s), there are a few things that come to my mind. All of them involve a separate user account and none seem really satisfying to me.

• If you just want to hide diversity and complexity as to not confuse users, override all “unnecessary” application starters. Something along the lines of the following untested shell script:

  cp -R {/usr,~/.local}/share/applications
  find ~/.local/share/applications -name *.desktop -exec sed -i -e '/^NoDisplay=/d;/^[Desktop Entry]$/a NoDisplay=true' {} +
  

  Then delete the starters of allowed applications in ~/.local/share/applications. You can do a similar things for MIME types that you don't want them to open (with some applications).

• Write some apparmor rules that forbid user "parents" to execute anything except allowed applications. This is potentially difficult, because many applications rely on external programs and shell scripts, and some have their real binary executables somewhere in /usr/lib. It may work for a very limited set of applications though.

  A sensible set of programs to allow would be stuff from the packages "coreutils", "bash", "python", "perl", and any dependencies of allowed applications.

  I would also do disable the application starters as explained above as to not have a bunch of dysfunctional starters in the dash, dock, application menu, or wherever.

Give them a separate user account without administrative privileges. If they don't need to save stuff beyond the length of a session, a temporary guest account will do.