Sandstorm implements a capability-based security model, where not only does each app run in a strong sandbox, but a new instance of the app is created for each document (or whatever the app's logical unit of data may be). Sandstorm itself enforces that each document can only be accessed by the people with whom it has been shared, regardless of any bugs that might exist in the app itself. All communications between the user's browser and the app go through a proxy implemented by Sandstorm which applies this authorization regime.
Apps cannot even talk to each other or the internet without specifically requesting access, granted by the user. The UX model for these requests is designed to flow naturally for the user, by deriving the user's intent to permit access from the action they took that caused the access to be needed. For example, say the user wants to embed a chart into a document, where the chart editor and document editor are separate apps. The user clicks some sort of "embed" button in the document editor. Now they are presented with a chooser where they can pick which thing they want to embed. If they make a choice, there is no need to separately ask the user if they want the document to have access to the chart -- of course they do. Sandstorm works by having the system implement the "picker" UI directly, so that Sandstorm knows the user made this choice, and can automatically provide the implied authorization.
All this actually makes apps easier to write since they don't have to deal with authorization and user management themselves, and as a result there are a lot of neat unique apps for Sandstorm written by various people in a short amount of time. However, the down side is that existing off-the-shelf apps that do already feature their own user management and authorization are somewhat laborious to port to Sandstorm.
Yunohost takes a more traditional model of just running each app and letting it figure out its own authorization.
Sandstorm implements a capability-based security model, where not only does each app run in a strong sandbox, but a new instance of the app is created for each document (or whatever the app's logical unit of data may be). Sandstorm itself enforces that each document can only be accessed by the people with whom it has been shared, regardless of any bugs that might exist in the app itself. All communications between the user's browser and the app go through a proxy implemented by Sandstorm which applies this authorization regime.
Apps cannot even talk to each other or the internet without specifically requesting access, granted by the user. The UX model for these requests is designed to flow naturally for the user, by deriving the user's intent to permit access from the action they took that caused the access to be needed. For example, say the user wants to embed a chart into a document, where the chart editor and document editor are separate apps. The user clicks some sort of "embed" button in the document editor. Now they are presented with a chooser where they can pick which thing they want to embed. If they make a choice, there is no need to separately ask the user if they want the document to have access to the chart -- of course they do. Sandstorm works by having the system implement the "picker" UI directly, so that Sandstorm knows the user made this choice, and can automatically provide the implied authorization.
All this actually makes apps easier to write since they don't have to deal with authorization and user management themselves, and as a result there are a lot of neat unique apps for Sandstorm written by various people in a short amount of time. However, the down side is that existing off-the-shelf apps that do already feature their own user management and authorization are somewhat laborious to port to Sandstorm.
Yunohost takes a more traditional model of just running each app and letting it figure out its own authorization.