System Integrity Protection would protect against many of the same threats that Windows Sandbox would (since it prevents applications from doing extreme damage to the system even with root), and by default it only lets you install software from developers registered with Apple (either inside or outside the Mac App Store). It'd be more secure out of the box than a Windows system, as if you have admin and are willing to click "yes", you can let an application do anything on Windows (although most attacks can be prevented with the new features in Pro/Enterprise).

Windows 10 has identical defaults (Windows Store install only, with hard locks on certain parts of the system and an integrity checker).

All I know is my older and less tech savvy relatives experience pretty much no problems with Apple devices and iOS/macOS. And if they did, they can take it to the Apple store.