Reading https://developer.apple.com/forums/thread/661939, I’m fairly sure the recommended way to sandbox individual processes is to use the Endpoint Security Framework (Quinn “the Eskimo” has been with Apple for decades. I trust him to know)
(For sandboxing systems, use the Hypervisor framework or, if you want to run Linux, the Virtualization framework built on top of it)
Quinn is wrong. The recommended way for third parties to sandbox their code definitely remains the one the platform provides. That it is not considered to be stable is expected and the relationship between third party developers and Apple for this API has been consistent for at least the last decade.
Endpoint Security isn't usable for this. It's meant as a stable API for virus scanners, basically.
The sandboxing API is internal, but, Chrome uses it extensively. So Apple is limited in how much they can break it, otherwise new macOS versions can't run Chrome.
