Function constructor attack (use a comm channel instead of naive function).
Leaking global attack (easy Function wrapper).
Type coercion attack (serialize inside the sandbox, though you may want to add a circular dependency serializer inside the sandbox).
Function.caller attack (fixed by strict mode).
Function.arguments attack (fixed by strict mode).
Native prototype attack (fixed by lack of leaks from others, hooking Function.prototype.call from leaked function for example).
This should fix the following:
Function constructor attack (use a comm channel instead of naive function). Leaking global attack (easy Function wrapper). Type coercion attack (serialize inside the sandbox, though you may want to add a circular dependency serializer inside the sandbox). Function.caller attack (fixed by strict mode). Function.arguments attack (fixed by strict mode). Native prototype attack (fixed by lack of leaks from others, hooking Function.prototype.call from leaked function for example).
I added some basic examples.