I tried securing Firefox with seccomp.keep inside its firejail profile. It turns out Firefox on launch does some X32 ABI syscall that seccomp cannot filter individually (and seccomp can only allow through the blanket syscall, which obviously is too loose and beats the purpose of using seccomp to harden Firefox).
Basically, it appears you cannot sandbox Firefox with granular seccomp.
I opened a bug in Firefox. Seems like something that needs to be addressed. Maybe someone could suggest something about this.