yes; the mount doesn't need root access because of user namespaces (which is one of the linux features with the most vulnerabilities next to BPF, but it's also quite handy...)
the sandbox is just a directory with the overlayfs content (whole new files for modified files, whiteouts for removals); there's some bugs e.g. removing a directory will create a whiteout that the apply script will try to rm without -r, and there's a handful of other failure modes I can think of (really doing network etc), but for simple commands it's a nice idea.
the sandbox is just a directory with the overlayfs content (whole new files for modified files, whiteouts for removals); there's some bugs e.g. removing a directory will create a whiteout that the apply script will try to rm without -r, and there's a handful of other failure modes I can think of (really doing network etc), but for simple commands it's a nice idea.