Bazel on Linux already supports various ways to run actions in a sandbox (linux-sandbox, processwrapper-sandbox). We want to support sandboxing on Windows by reusing parts from BuildXL (Microsoft Build Accelerator).
The main motivation to have sandboxing on Windows is to safeguard actions from accidentally using undeclared inputs as this will affect build correctness. This has been a source of issues that causes Windows build to behave differently from Linux and Mac build.
Example of inadvertent file access: GH#5640.
Sandbox on Windows (BazelSandbox version 0.5) works with Bazel 0.29 onwards. It can sandbox most Bazel builds, but there is still room for improvement in terms of performance and binary size reduction (see unfinished work for more details).