There are plenty of ways to sandbox it. Treat it as an employee, i.e. give it its own user account, use cgroups, etc. Unfortunately, the defaults aren’t very secure. And I’m sure most users will just stick with the defaults