Sandstorm uses Vagrant as part of the app packaging (for developers) process. It is _not_ used in everyday use of Sandstorm. Instead, "Sandstorm implements fine-grained containers"[1], not VMs.
Sandstorm has a pretty unique sandboxing model, which makes it drastically more secure than Docker in practice, but the tradeoffs in terms of packaging differences can be significant.
One of the biggest things is that Sandstorm prefers to sandbox individual documents versus applications, which mitigates a huge variety of security flaws in apps. In most cases vulnerabilities in apps on Sandstorm are not exploitable when run on Sandstorm.
It also manages most authentication and authorization roles for apps in an integrated way, which requires more integration work than just spinning up a Docker container.
Feel free to hit me up if you want to know more, though it would be a lot of work to make Sandstorm work for your business model at this point. It's cool seeing others in the "make open source web apps user-friendly to run" space though.
Thanks! Will read this later in detail and see if anything can be learnt.
I do want to point out that this is from 2014 and we don't use Docker at PikaPods. We use Red Hat's stack, which integrates better with other Linux tools, like SELinux and Systemd.