It's might be worth to note that Apple is now using Bazel internally and have an active engineering team working on Bazel-related projects. So I would hope if they were to have any bone to pick with usage of `sandbox-exec` in Bazel, they would be able to introduce an alternative upstream.
Apple is large and diverse. If there is a team using Bazel internally, it is very possible that they have zero influence on what gets contributed upstream or how sandboxing is done on macOS.
