The bug, in question, specifically refers to “a potential sandbox escape in a Wasm program”. Not sure about how sand-boxing,as a mitigation strategy, would solve that.
Yes, I should clarify there are two layers of sandboxing we are talking about. WebAssembly provides sandboxing to ensure the code cannot be modified and that data is contained within allocated memory. The risk we want to mitigate is jailbreak from this Wasm sandbox.
Sandboxing of canisters is another layer. The idea is to use process isolation. Each canister will run in its own process. So even if malicious canister code manages to break out of the Wasm sandbox, it is still only affecting its own isolated process, i.e., captured within the canister sandbox.
We have a thread for discussing canister sandboxing here.