[contextfree]

Centennial isn't really a sandbox in the sense I think the poster above you meant - while processes have their reads/writes to certain filesystem/registry locations virtualized by default, this isn't a security boundary as they ultimately run at medium trust and can do anything the user can do.

AppContainer is the security sandbox used by modern apps (aka Metro/UWP). It can be used independently of other aspects of the modern app model - e.g., Chrome uses it to sandbox content processes - although this isn't documented very well (which I guess was what GP was complaining about?) and it seems like trying to sandbox apps that weren't designed to be sandboxed, as GP was wanting, would have inherent compatibility problems?