Yeah that sounds like a basic garbage collection issue and isn't that the very basics of sandboxing? Is the rule not to not hand memory to a sandbox that hasn't already been overwritten with 0s or random information? This sounds analogous to the old C lack of bounds checking where you could steal passwords and stuff just by accessing out of bound memory. Is this not low hanging fruit?