Apps have direct access to the entire kernel system call interface. They don't run as root, and in particular they run as different UIDs (which is, to be clear, fantastic in its own right) and with SELinux policies. But their "Application Sandbox" is nothing more than that. Apps have as much access as, say, a well-run public shell server gives to their users. That's a lot more attack surface than JS in my browser has.