The majority of problems I've encountered involving sandbox actually relate to usersandbox, in particular failing testcases like https://github.com/gentoo/gentoo/pull/29187/commits/61cd9aec7b088e75be368aa85c436785e39a99c0. I don't know how feasible it would be or what effect it might have on unprivileged prefixed Gentoo, but I would be more inclined to use RESTRICT="test?( usersandbox )" than to continue disabling unittests.
Note that PMS doesn't cover sandbox restriction at all: https://dev.gentoo.org/~ulm/pms/head/pms.html#section-7.3.6. It's a Portageism.
I see. It used to be a part of PMS (https://bugs.gentoo.org/161045) and given that the PMS already includes a 'Sandbox commands' section, it seems strange not to either sever it off completely or support if fully.
The majority of "problems involving sandbox" are due to the specific sandbox implementation (and often even sandbox version) rather than the general idea of restricting filesystem access. General "restrict sandbox" is a bad idea because it prevents people from using a better implementation in the future (e.g. sydbox that's based on ptrace or fusebox that's based on FUSE).
I see.
