Why? Every sandbox that has ever existed has been exploited/broken out of, including VMs. Only explicit security controls like RBACs (ex. SELinux) can create a secure runtime environment, if you configure them right.
It's much, much easier to just download a binary and compare its cryptographic hash with the origin's before running it. That's how all Linux distributions ship apps, and Windows has a slightly more modern version of that.
Linux distributions ship artifacts from building open source projects, often they’re even built in a deterministic way so that third parties can verify that they haven’t been tampered with.
Closed binaries tend to come from corporations and are often full of nasty things, wether the hash verifies or not isn’t the problem.
