Who told you it's going to be sandboxed? It's probably going to be a obfuscated binary blob (it has to of it wants to try ensure that nothing is intercepting it) which will try verifying that OS isn't intercepting data.
The spec talks about both securing the CDM with Sandboxing and preventing fingerprinting, amongst other security + privacy issues that should be addressed:
the spec also says if the CDN isn't sandboxed then the user needs to be warned and prompted to allow exec:
> if a user agent chooses to support a Key System implementation that cannot be sufficiently sandboxed or otherwise secured, the user agent should ensure that users are fully informed and/or give explicit consent before loading or invoking it.
