Make your app (flatpak, snap or appimage) be owned by another user.

Use a .desktop, wrap the command in the graphical equivalent of “sudo -u” for your graphical shell, and it will ask you for that user’s password.

You can also write a util to decrypt an encrypted .tar.gpg flatpak directory (flatpak lets you specify different installation paths, you can use that to separate it from the main flatpak dir), or decrypt a .appimage.gpg, and execute it. You could even write a wrapper to install a flatpak with a specific password, and it would automatically pick that specific install dir and .tar.gpg it every time.

Keep in mind that nothing keeps your other users from downloading that software on their own and using another copy of it unless you use parental controls.

I highly recommend giving them their own account though.

Same as you would on MacOS :

• ditch the .deb package because it’s the wrong tool for the job here.
• Squashfs image with encryption
• Set keyring entries and a wrapper script to manage lock/unlock. If you already know the hardware platform of all users, this can even be improved upon

I have no idea why someone would be using Debian packages to distribute something like this though, if that’s the question. Absolutely not going to work well.

Creating a different user account for it is out of the question btw, since you can still change the password for that user via the primary admin account

If they can su(do) they can open it. They’ve already authenticated.

You can do it with groups but since there’s no barrier to admin access it’s already undermined.

You might be able to use something like distrobox instead of a full VM. That would at least put it in a container that you could either run from an encrypted partition or something.

Different users would be the “simple” way you’d normally do something like this under Linux. But if your regular users have sudo access, you can’t really lock anything down.