Gnome sandboxing uses exactly the same technologies behind the scenes as Docker uses: cgroups, namespaces, ... They add the additional requirement that they need Wayland to circumvent the security issues that X11 presents them. Other than that, you could do it just the same way.
So your "when-containers-dont-have-root-bug-today" applies to Gnome too...
Also: there is no such thing as 'actual' sandboxing. There are many forms of sandboxing, containers (not docker-exclusive, as Gnome is using it exactly the same way) is one form, but we also know Virtual Machines, the Java VM, Javascript in a browser, ... the list goes on - all meaning the same thing: shield an application from everything else on the computer and try to prevent it from breaking out.
So your "when-containers-dont-have-root-bug-today" applies to Gnome too...
Also: there is no such thing as 'actual' sandboxing. There are many forms of sandboxing, containers (not docker-exclusive, as Gnome is using it exactly the same way) is one form, but we also know Virtual Machines, the Java VM, Javascript in a browser, ... the list goes on - all meaning the same thing: shield an application from everything else on the computer and try to prevent it from breaking out.