Comment by mike_hearn

Kernels don't understand TLS or HTTP level concepts and can't sandbox them indeed, it's a weakness for sure.

MSIX is integrated with the (new) Win32 sandboxing mechanism, yes. You can activate an app container by requesting one in the manifest. But that only works on the very latest Win11 and you'll definitely encounter bugs.