You do not need another copy of the FreeBSD userland in a jail.

My unbound dns server, for instance, has something like 24 total files in it. The reason it has so many is because I run two different jails from it - my unbound jail and my nsd jail share the same directory/mountpoint.

Which is to say, I run two different jail commands, that start two different jails with different IPs and startup commands, but they both point to the same directory/mountpoint.

Updates consist of replacing a few binary executables.

Not everything will fit into that model, but when it does, it is fantastic.

Jails can be used for this. You can jail a process and only limit what it listens on for example.

  jail -c path=/ ip4.addr=disable ip6=inherit command=/bin/csh

for instance would run the command "/bin/csh" and jail it so that it doesn't get access to any IPv4 and it allows communications over IPv6 only.

So you can use jails to sandbox applications. You can also mount all paths are read-only and only the paths required for the application as read/write. jails can be very handy for all kinds of operations around that, there is no requirement that you provide the jail with a copy of the user land again, although that is the easiest way to run jails.

Sad that there's no equivalent to this in Linux.

I think firejail is what you are looking for no?

https://wiki.archlinux.org/index.php/Firejail

Oh man, I want to have this in Linux.

I think you can do this with nsenter?

systemd can do it, if you're OK with systemd.

Actually, you don't need another copy of userland. You merely need a dedicated space for the jailed OS (assuming we're talking OS-style jails, not process-style ones) to write the things OS writes to (devices, logs, etc.). You could get away with null mounting your host filesystem and then mounting writeable space on top of it. Once I've had read-only mounts for my jails, for funsies.