Hmm. Should I understand the sandbox as if I am going to be compiling someone else's code, only looking at -J flags will be enough to make sure it is not using any of my private files?
It is the intention. I can't guarantee there are no bugs that break that assumption though :)
