That's a temporary measure. Get the sandboxing layer in with whatever permissions are required. And then move to tightening everything / replacing permission lists with permission requests like on iOS/Android.

There are a lot of pieces that have to fall in to place and any one on its own is not useful but they will eventually build up something secure.