My understanding: It's sandboxing to protect against exploits delivered via supply chain attacks, which often use low hanging fruit like hooks on install to steal tokens/etc. It's definitely not perfect, but it does not hurt either.
It does not, supply chain attack is not that afaik. This is to defend against npm executing arbitrary nefarious code as your user on install of a compromised package.
Also sandoxing npm really means sandboxing node running npm (which is js).