You can apply the generic sandboxes to the whole process, but that's not the same as a targeted seccomp. For example, you can use one of the external jails to stop your media app from using the network, and that's great. But what if you want to stream content from the internet? Without changing the source, you can't apply the no-network rule only to the decoding part. That's what still needs work from the maintainers.