> Uploads through this mechanism will be done in source form ...
> ... applications will run within their own sandbox
There is a lot of security checks which would be better done on the source code (i.e. once and not at each execution), even automatically.
For instance, by automatically analysing the source, you can deduce which files are needed, which libraries are linked-in (so which package versions are needed), and only allow at run time to access those files (without a user popup) - file name/path accepted at compile time.
You can also reject strait away some function calls (like "system()" or some library binding), even if at run time you did not find a way to trigger them.
Also, for the "Guides to nearby beer festivals" apps, it would be nice to have a "use-by date" where at that date, a check for a newer version is automatically done; if no new version is found the app is automatically dis-installed - else the O.S. asks if the user want to "renew the subscription" or remove the app.
Moreover, if version updates is done magically (the next month of beer festivals), there is no need for the app to ask for network access privilege.