Comment 195 for bug 1022741

Dev suggested making SetSandboxFlags fail if the flags would be less restrictive than the currently are - with a special case for clearing the flags completely. This seems like a nice little bit of defense in depth, I'll look at adding this some time in the near future, could always be done as a quick followup too.