Interference from user space

Wouldn't having the sandbox task isolated from the kernel necessarily mean that information leaks from it are permissible? I think the fear of allowing ptrace is that it enables attackers to take the now-trusted output of the sandbox task and mess with it, re-opening the attack surface. It doesn't matter if we leak the exact details of what the user-mode task is doing, if those details are only dependent on what the original process was trying to do; an attacker who can ptrace the sandbox can ptrace the original. You can't use the sandbox to, say, break KALSR if it's not mapped to the kernel.**

** This is a blatant lie; we would need to be very careful with what data is passed into the sandbox.