To create sandbox inside sandbox or to extend sandbox permissions at run time
Idea aims to solve test some software inside sandbox. For example: testing flatpak inside some container pretend to be Ubuntu system.
Solution is to create standard interface to extend sandbox/process inside sandbox permissions (or to restrict it). You could create dbus (or whatever) daemon listen on some unix socket inside an sandbox. This daemon provide api to ask for additional permission (or create process with it).
Another solution could be use newer interface for proton/wine (syscall user dispatch, perhaps?) to handle unsupported system calls. This (second() solution is maybe impossible, but if I could select one and both could be able to realize, I would select second.