--private=~/path/to/jail limits access to your home directory to ~/path/to/jail and when you don't want Obsidian to have internet access you can take it away with --net=none.
Note that if you already have an Obsidian vault, suddenly jailing it might break things. Obsidian stores a bunch of state in ~/.config/obsidian which will no longer be valid. And amusingly/frustratingly, the GTK file picker doesn't take the jail into account and seems to produce invalid paths.
And because --private mounts some bits as temporary filesystems, you might end up losing state. Try before you buy.
It provides a sandbox, an API to access stuff outside of it (portals), and standard tools to customize what your software has access to (Flatseal, KDE app settings). It's based on the same technology as Docker containers, but for user-space GUI apps.
AppImage is a binary distribution format that does none of that stuff, so you need external tools, like firejail, to limit what the application has access to.
