isolated environments reduces the risk and sandboxes do exactly that.

with a sandbox you are reducing the scope of damage when something goes wrong. but for this you need proper isolation and ability to run all things that are required to run the app.

1. reduced/limited/throttled/quota based access to resources

eBPF Architecture: the Linux Kernel, User Space, and the System Calls

https://www.groundcover.com/ebpf