In its most primitive use case "guix shell" sets environment variables and doesn't isolate. With "--pure" it also unsets existing variables. With "--container" it unshares a bunch of user namespaces so that the process has a different view on the file system (and others).

User namespaces are a Linux kernel feature. You can learn more about them from the man pages: https://www.man7.org/linux/man-pages/man7/user_namespaces.7....