There's absolutely nothing preventing a sandboxed environment :) Connections are just processes that talk over tcp, if the client wants to sandbox whatever it evals, it can definitely do that.
Sorry I wasn't clear, but the ability to "undo" an operation definitely requires a programming model change. The sandbox is only one part of that.
Rolling your own magic sandbox isn't going to help much without more buy in from the environment (though, I'm sure most of us test in sandboxes anyways).
