Packages that use OpenCL during build (e.g. those utilising media-gfx/imagemagick or media-gfx/graphicksmagick, including those bundling them, but also sci-geosciences/qgis-3.0.0 via pyuic wrapper) will attempt to access /dev/dri/render* during build, which will cause a build failure due to sandbox violations.
If the render nodes were listed in SANDBOX_PREDICT in a new /etc/sandbox.d/99opencl file, this would be fixed.
/dev/dri/render* is actually 0666 on my system, which should be safe as the interface was designed to allow only rendering, as opposed to management and modesetting of the card as a whole. Hence it appears to be safe to list it in SANDBOX_WRITE.
Since /etc/sandbox.d/ does not appear to support prefix matches or wildcard globs, every render node has to be explicitly listed in SANDBOX_WRITE. Could this be automated through a udev rule generating the /etc/sandbox.d/99opencl file? That should then even cover hotplugged devices.