People interested in configuring Python software in Python
should look into Starlark.
There are Python bindings for two versions of Starlark:
Go (https://github.com/caketop/python-starlark-go)
and Rust (https://github.com/inducer/starlark-pyo3).
I used python-starlark-go for a time
in a project that ran on x86-64 Linux
and had no problems with it.
(I stopped because my project's configuration turned out simpler than expected,
so I switched to TOML.)
Worth noting that it is specifically CPython that has been called impossible to sandbox.
(2014 discussion: https://news.ycombinator.com/item?id=8280053.)
It may be possible to sandbox PyPy.
PyPy has a sandboxing feature its website calls a "working prototype"
(https://www.pypy.org/features.html#sandboxing).
If someone invested in it—potentially a huge effort—it could plausibly become good enough for configuration.
But, IMO, Starlark is a better choice here
because it was designed for isolation from the start.
If you wanted to invest in Python-as-config-for-Python,
a good use of your time might be improving Starlark for Python.
Worth noting that it is specifically CPython that has been called impossible to sandbox. (2014 discussion: https://news.ycombinator.com/item?id=8280053.) It may be possible to sandbox PyPy. PyPy has a sandboxing feature its website calls a "working prototype" (https://www.pypy.org/features.html#sandboxing). If someone invested in it—potentially a huge effort—it could plausibly become good enough for configuration. But, IMO, Starlark is a better choice here because it was designed for isolation from the start. If you wanted to invest in Python-as-config-for-Python, a good use of your time might be improving Starlark for Python.