Filesystem sandboxing isn't new.

No, it isn't.  chroot() probably being the first example.

There are others. but always "externally set" over the lifetime of the program, including the startup phases of the program.

Effectively this means that often, you have to have a *lot* of things available to the program.

Startup and configration portions of programs often require much more access than when doing actual work.

We want to allow the programmer to choose when to restrict the filesystem.
   	Goal: Tighter restrictions in the important parts of the program.

As a result, this becomes a little different than chroot and friends.