Oh wow. I'd be very interested in hearing how they sandbox rust-analyzer. I found a discussion of supporting the analyzer itself by generating config files [1][2], but not how you can sandbox it.
That would be extremely useful as the analyzer is a pretty juicy target and also runs proc-macros/build.rs scripts.
https://www.grepular.com/Sandbox_Rust_Development_with_Rust_...
Well, that's a bit out of date now as I use podman, to get around the sudo issues. But that's the basic idea.