[WhyNotHugo]

The cli works on regular sandboxes just fine (podman, docker, bwrap, etc).

Sandboxing a GUI is typically more operational overhead than sandboxing a cli (mounting compositor sockets, GPU access, etc).