Well the same applies to any other thirdparty software sources like PPAs and it has even more power to do malicious things than snaps (e.g. The Debian packages’ installation script is actually run as root and has unrestricted access to your system).
As the sandbox technology advances the exploits will be smaller due to more granular control of access (for example the new XDG desktop portals eliminates the requirement of open up access to most of your personal files via only allow access to the files user-specified to the applications).