Use macOS sandbox to isolate system dependencies

[geofft]

#545 was because we were setting CC but not CXX, meaning we were using our own cc command but /usr/bin/c++.

I think we can use the macOS built-in sandboxing system (see man sandbox-exec and man sandbox_init, see also /System/Library/Sandbox/Profiles/ for examples of the syntax) to restrict access to /usr/bin/c++ and friends, so the build fails if you attempt to use it.

... honestly this kind of sounds like https://github.com/twosigma/ts_isolate, I wonder if we should use that on Linux and whether I should add a macOS implementation with the same API, backed by sandbox_init.