Comment 1 for bug 1936299

Make sure that _apt user can read all files in /etc/apt/trusted.gpg.d and /etc/apt/trusted.gpg and any key files you might have specified via signed-by in sources.list.

By disabling the sandboxing, it makes it easier for an attacker that controls the http server to make use of vulnerabilities in the HTTP, TLS, GPG stacks as they process this untrusted data as root instead of an unprivileged user (ok, there is another APT-specific escape hatch in the sandbox that also needs fixing, but still, improves security somewhat).