Sandboxing is meaningless when you install malware on your system. Imagine KepassXD - rogue password manager or browser or email client or dns client… malware doesn’t have to break any sandbox - all secrets already belongs to it.
I agree and already said that I’m comparing here snaps to official distro repositories, not PPA. Also I believe there are a lot of people who aren’t affiliated with upstream but still do high quality maintenance of snap packages but it’s hard to know that basing on snapstore info.
All Information Security is build on trust, that’s clear. If we stick to only known developers and vendors then number of available snaps would be cut tenfold for reasons which @mcphail described.
The question is how you can trust publisher when you know only his name and email? I believe most people install snaps from store because they trust Canonical and they think Canonical wouldn’t allow hosting snaps which could harm users.
If there was warning like “This snap is published by John Doe (john.doe@example,com). This snap isn’t affiliated with Canonical Ltd. Install at your own risk.” the situation will be more clear.
There is also a quality issue when snaps are outdated and unmaintained. No one should install dnsmasqd but some users do. I know PPA have same problem but this package is in official repos of every distro and users will expect similar quality in snapstore otherwise there is no point.
You may say that Canonical provides only a platform and publishers and users are free to do everything they want but I doubt it will end happily.