Proper mount setup
Right now the sandbox code can only do basic rw chroot. We'd like something a bit more sophisticated, where the / is mounted read-only, and the document root is mounted read-write (and /tmp is noexec on a tmpfs, perhaps). So, something closer to the systemd ReadOnlyDirectories / ReadWriteDirectories model, as an example.
Obviously this will need some changes on the configuration side too, to support more elaborate setups.