In general emulated code should only be able to interact with the emulated machine, not the host machine running the emulator. But there's no specific sandboxing and there have been cases of bugs in emulators that allowed specially crafted roms to execute code on the host (https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit...)