>which are sandboxed

Not always. The app can claim to need filesystem access and it will get it without the user knowing.