I have two apparmor profiles targeting shell scripts, which can run other programs. One is “audit” (permissive with logging) and the other is “safe” (enforcing).
The safe profile still has a lot of read access, but not to any directories or files with secrets or private data. Write access is only to the paths and files it needs, and I regularly extend it.
For a specific program that should have very restricted network access, I have some iptables (& ip6tables) rules that only apply to a particular gid, and I have a setgid wrapper script.
Note: This is all better than nothing, but proper segregation would be better. Running things on separate PCs, VMs or even unpriviliged containers.
An apparmor profile is associated with an executable, based on its filesystem path. I think distributions tend to support either SELinux or Apparmor, but some (like Arch) support both.
Apparmor profiles are easier to reason about than SELinux, I find.