programs: bemenu: fix sandboxing

hosts/common/programs/bemenu.nix

@@ -87,8 +87,13 @@ let
 in
 {
   sane.programs.bemenu = {
-    sandbox.method = "landlock";
+    sandbox.method = "bwrap";  # landlock works, but requires *all* of /run/user/$ID to be granted.
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      ".cache/fontconfig"  #< else it complains, and is *way* slower
+    ];
+
     packageUnwrapped = pkgs.bemenu.overrideAttrs (upstream: {
       nativeBuildInputs = (upstream.nativeBuildInputs or []) ++ [
         pkgs.makeWrapper