Got a PM from a user with some suggestions about tightening up the sandbox against vandalism. They weren't practical, but they got me looking at the admin panel for the sandbox. In the "Permissions" tab under "Security", it lets you customize permissions for different categories of pages on a wiki.
The primary objection to restricting editing on Sandbox pages to page creators is that it'll interfere with collaborative efforts based on the sandbox. I'd like to propose an alternative. General or default category pages (the ones without colons in the URL) can be restricted to editing by page creators only (which will include sandbox mods and admins), while pages in the "collab" category (any URL beginning with "collab:") can be set to be editable by anybody with a Wikidot account, the current privacy settings.
Tuomey suggested in chat that we add more staff members to the sandbox mods list, which seems like a good idea to make sure that staff have access to these pages. This will ensure that pages made automatically or by default can only be edited by the page creator, but people who want to make pages to collaborate with others will still be able to do so with collab:URL pages. It's an extra step, but it'll go miles to preventing future vandalism or unauthorized editing.
(account deleted)