The sandbox-exec command is DEPRECATED. Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide. The sandbox-exec command enters a sandbox
All of sandboxing (including sandbox-exec, which is like 10 lines of code to just call the sandboxing functions) is considered deprecated/Apple private. As it’s the way to do such things on macOS, however, some very popular software depends on it in addition to Apple’s: Chrome, Firefox, MacPorts, Homebrew, …
It works, but you have to supply your own sandbox profile (list of allowed/denied operations) and it won’t create a virtual home directory for you like App Sandbox does. I’m not sure whether there’s an easy way to forcibly enable App Sandbox, but one possibility is to compile your own sandboxed app that simply execs the untrusted one. (Sandboxes are inherited by child processes, as they must be for security.)
It works, and Homebrew is a high profile example of software that uses sandbox-exec extensively (bottling CI and brew install from source build formulae in sandboxes so that build scripts can’t read/write whatever they feel like; so do tests).