I don't think OS X's sandboxing has seen nearly as much scrutiny as the iOS/Android counterparts. An OS X sandbox escape buys you barely anything since the vast majority of apps don't come form the Mac App Store and don't bother enabling it. I wouldn't put a whole lot of faith in it.

Vast majority? Well, for the Hacker News audience, sure :) But the App Store is popular enough for Apple to require a checkbox in the settings for installing outside apps, like on Android.

You're confusing the App Store and Gatekeeper. If you register for Apple's developer program they'll issue you a certificate that you can use to sign and distribute your applications outside the App Store, with no input or restrictions from Apple, while bypassing that checkbox. These applications are the majority that aren't required to be sandboxed, and rarely are.

IIRC (haven't used modern Macs in a while) Gatekeeper has three modes — allow App Store only, allow App Store + signed outside, allow all (unsigned) apps. Didn't they switch to the first one by default??

The most recent OSX version (Sierra) made the change of hiding the option that totally disabled Gatekeeper, but the default hasn't changed. I have a Sierra VM I set up about a month ago, and I just checked the setting and it's at "App Store and identified developers".