Build Security

The primary obstacle to getting sandboxing into Cargo (for build scripts) and rustc (for proc-macros) is implementing it (or at least prototyping it), not convincing people that it should be done.

Sandboxing is already an accepted Major Change Proposal. You can use host.runner to experimentally plug in your choice of sandbox to Cargo build script execution. What this problem needs is people working on implementing solutions and seeing how well they work in practice.