The content inside the notepad edit window should probably be universally sandboxed from your local box

Sadly, this was already the case when Notepad stayed in its lane and only handled plain text unicode.