curl is the sandbox. It exchanges packets with the internet and then outputs a safely sanitized byte stream.

curl is only the sandbox if you don't then do anything with the byte stream.

Pipe it to bash? game over

Pipe it to less/more? Better hope your distro keeps those patched

Open the file in a browser or PDF reader? Hey, look at all this shiny new attack surface!

	▲	inigyou 2 hours ago \| parent \| next [-]
		Well yeah, that's true for any sandbox. If you pipe stuff outside of the sandbox, outside of any sandbox, and run it there, then you're not running it in a sandbox.
	▲	layer8 4 hours ago \| parent \| prev [-]
		How do you set up the sandbox without having downloaded anything from the internet? I guess there’s still places where you can buy Linux CDs.