it looks handy but ...

    sbx policy set-default open

just so the single pi sandbox can talk to localhost? ... this gives me some grave doubts about the rest of it being set up well.