A question about one program starting another program

[Walkerby]

If I start a program in private mode, and then the program starts another program, will the second program be running outside firejail?

[rusty-snake]

If I start a program in [firejail], and then the program starts another program, will the second program be running outside firejail?

TL;DR: No

Then you could skip the sandbox. If firefox for example could simply start python3 malware.py the sandbox would be useless.
Firejail sandboxes always inherit, that's the way namespaces work in linux. In the reality, it's still possible that a program runs outside of the sandbox. Programs with instant management may talk to an already running instance (through D-Bus) and tell it to open a new window/tab with this file.

[Walkerby]

Thanks for your answer! And other than overlayfs mode, for a deb package, I have to install it before firejail it. Would it be dangerous to install the program without the overlayfs and to expose the root directory to it?

[rusty-snake]

I don't fully understand your question but regarding security of installing of deb (or rpm) packages I can say that

1. Installing from trusted sources (e.g official repos) is safe (in the most cases).
2. Installing from a malicious source should is a bad idea (it could exploit bugs in dpkg and everything from 3.)
3. Installing from a not trusted source:
   1. There is the possibility to run post-install/upgrade/uninstall or pre-uninstall/upgrade hooks (or whatever they called in dpkg). You can (and should) review these script and disable there executing if necessary.
   2. Installing of files is not yet unsafe for itself however
   3. Installing files in locations that are executed at shell/session/program/... startup can be dangerous.

You can setup a overlayfs w/o firejail too, but it can be very annoying #3999.