appimaged daemon described here now uses an existing installation of
firejail to run AppImages without the need of making them executable. firejail, in turn, uses in-kernel mounting, which should make the AppImages even a little faster to launch.
Right now this is experimental and the sandbox is very permissive (e.g., no restrictions are in place yet at all) but let's think about how we can tighten up security (e.g., by letting unsigned AppImages run only in a fully sandboxed environment).
Firejail AppImage support and a few remaining issues with it are discussed at https://github.com/netblue30/firejail/issues/861.