I would add that in addition to Unix permissions, sandvault also utilizes macOS sandbox-exec to further limit the blast radius.