I almost never share an entire screen, but rather single application windows; when I absolutely must share visual information from multiple applications simultaneously, I create a separate virtual desktop for presenting. Is this not possible?

Idk what exactly you’re asking for, but this is already an option for me on teams in chrome running under Wayland??? Like when I choose start presenting it pops up a dialog with window options including the whole desktop.

To my knowledge it’s impossible in X, unless you run apps on separate X servers.

Wayland handles this by default, with the exception of Xwayland apps

If I run these as an unprivileged user via xhost, they don’t really work well.

This is not a strong security boundary and in this case is basically doing the opposite of what you want. Giving access to an X session is basically giving the app full access to your user account. As an example they can inject keystrokes to open a terminal and do whatever they want. X also gives every program access to every other program.

Running as a different user will prevent direct access to other resources of your user account which may block some generic malware/spyware that tries to gobble up random files, but keyloggers and screen captures will just work as expected because they use X anyways.

As mentioned in other comments the best solution to this is Wayland. Under Wayland apps don’t have direct access to each other. These apps use “Portals” which are trusted permission prompts. So if you try to share the screen under Wayland you will get a trusted prompt that list all windows, and if you select one the app only gets access to that one selected window.

Although it is worth noting that most apps running under your user account will have pretty broad access. This can be mitigated by sandboxing tools like Flatpak but many available Flatpaks don’t provide much isolation. Carefully check the permissions if isolation is important to you.

And for the truly paranoid anything running under the same kernel is not strongly isolated. It is likely good enough for these partially trusted apps like Zoom or Teams (they are not likely to actually try to exploit your system, just suck up more data than you would like them to) but not strong enough for running completely untrusted programs that may be malicious. You would at least want a VM boundary (see Qubes OS) or ideally different physical hardware.

Another good option is running these in a browser. Browsers are designed from the ground up to run untrusted software safely. Google Meet works perfectly in the browser and Zoom has all of the core functionality available. (I don’t use MS Teams so can’t vouch for it.) This is my main approach to isolating proprietary software as it is reliable and I also value features such as cross-platform usage. Half of these programs just run Electron anyways so running in my main browser will use less resources and be faster than running 7 different Chromium processes.

deleted by creator

You could pass through one GPU to a VM running zoom if you wanted to get hardcore.

https://obsproject.com/forum/threads/solved-record-multiple-windows-but-not-all.106931/

in addition to windowed projector (creates window of what obs would be streaming)

A but hacky, and a pain to set up past 2 windows, but it works. I do this, creating a windowed projector, and then just share only that window.