Sandbox-exec covers everything I personally expect from a sandbox:

- controls which files the process can read and write

- controls what network access the process is allowed