The sandboxing on mobile platforms puts the OS vendor in a special position to enforce a monopoly on apps and features. Apple enforces it aggressively, while Google only reluctantly so far. It also prevents the user from exerting full control of the system. Apple does it by locking things down directly, while Google punishes you for owning your devices with attestation.

There has to be a better way. I think Linux's flatpak is a reasonable approach here, although the execution might be rather poor. I want a basic set of trusted tool that I can do anything with, and run less trusted tools like GUI programs in sandboxes with limited filesystem access.

Those are policy decisions not really connected to the sandboxing technology. They control what sort of signing the system will accept and make it so that it only runs things they approve, and they only approve things that are sandboxed a certain way. The exact same sandboxing could be used with a system where an admin user can decide what gets to run and what kind of sandboxing is required for each thing.