Suppose there's a binary application that always writes its data to /tmp.
How could I spoof/mock /tmp for the sake of this binary as some other directory (e.g. home/tmp)?
Let's assume I have no means of modifying this binary to force it to use a different directory.
You can run the application in a chroot environment i.e. the / the application sees is not the real /. You create a complete new file system hierarchy and mount (--bind) everything you need into it. The relevant point is: You can mount the real ~/tmp to the /tmp in the chroot environment.
Instead of using chroot (which requires superuser privilege) you may do more or less the same with Linux containers (lxc). I am not familiar with lxc but as it's a normal user process to the host system you do not need to be the superuser for such configurations within the container.
chroot or lxc being capable of doing this. It's also really nice to know there's a way of accomplishing it without being a superuser. chroot requires additional setup (you are replacing the whole of /, not just /tmp, so any access to /etc, /var, etc, will also be inside the "jail") and creates security concerns of its own (the "jailed" program may be able to manipulate parts of the file system which would normally be off-limits if you aren't careful with the permissions when setting up your fake /). / is not restricted to be written only by root, the "jailed" user can create or replace files which seem to be in key system locations, such as /etc/passwd; this can then be used for privilege escalation which would not be possible outside the chroot. Many Linux FTP servers, which traditionally use chroot to hide the rest of the filesystem, now refuse to do so if the directory is writeable by a non-root user. Most POSIX compliant software would honor the TMPDIR environment variable e.g.
env TMPDIR=~/mytmp /path/to/application 