Currently we apply sandboxing per-thread, when it should be per-process. This shouldn't be a big change, we just need sandboxing exceptions for the artifacts/cache directories.

This should be a priority. Without it, the sandboxing we have with landlock is not really secure.

Related

This is also a blocker for paritytech/polkadot#7334.