Sandstorm is really good at security. I would absolutely encourage you to download a copy and try to identify an exploitable security vulnerability. As a Sandstorm user, I'd really like to know about it!
I suppose I'm talking about marginal differences. As in, I'd be surprised if Sandstorm can strongly outdo, e.g. my own Docker + Nginx proxy manager+SSL stuff?
You will be surprised then. Sandstorm utilizes capability-based security to grant access to applications, each app is only ever running when an authorized user attempts to launch the app, and each document within a given app is isolated to it's own only-run-on-demand container.
The core difference here is that for all intents and purposes app vulnerabilities are almost wholly mitigated. The only significant type of app vulnerability which Sandstorm cannot prevent is privilege escalation within a single document, where you've shared limit access of a document with a user, say read only, and due to an app vulnerability, they've figured out how to edit it.
Since all documents are private solely to the user who created them initially, and the process isn't even running until that particular user tries to open it, there's effectively no attack surface for Sandstorm apps most of the time. When they are spawned, they're spun up at randomly-generated ethereal subdomains, and authorized solely for access by the web browser that launched them.