You can turn pretty much all of it off, disable SIP, boot Linux, whatever you like.
Good security is layered. For example, even with a sandbox escape, and app could not read your full Documents directory, modify the OS, or install a firmware-level rootkit.
Good security is layered. For example, even with a sandbox escape, and app could not read your full Documents directory, modify the OS, or install a firmware-level rootkit.