Always use the Darwin sandbox

Even with "build-use-sandbox = false", we now use sandboxing with a
permissive profile that allows everything except the creation of
setuid/setgid binaries.

src/libstore/sandbox-defaults.sb

@@ -1,5 +1,7 @@
 (define TMPDIR (param "_GLOBAL_TMP_DIR"))
 
+(deny default)
+
 ; Disallow creating setuid/setgid binaries, since that
 ; would allow breaking build user isolation.
 (deny file-write-setugid)