We have always repeated that Wine is not a sandbox. It cannot inherently be a sandbox, because we cannot prevent Windows applications from accessing host resources or performing syscalls, and there is no reason for us to include a sandbox instead of simply requiring that any concerned users run Wine inside a separate sandbox.

Why is this case any different?