No, full deny is the only real mechanism, sandbox aren't fully safe as before.doesn't need to be a small one It could be a big one as well, it could be payload + movie. Containerisation is one of the most effective ways to isolate potentially dangerous processed, including exploited ones. Opening non-trusted files in a container is exactly avoiding doing something stupid
With all respect, the stupid is exactly what you are saying, running non-trusted files on your production machine hoping your sandbox/VM will keep you safe, which isn't so true since few years.
Don't get me wrong, I also do things I shouldn't, like downloading torrents, but I run them on a spare Linux machine, this is a real safe container, because I don't care of it being infected, /format Lol.