Ah, typical, the moment I post this I try a different search and find it: Isolated processes for privacy and security in gnome web
For reference in case this comes up instead of the above post (which doesn’t directly mention “sandbox”) - it does look like Epiphany uses flatpak-spawn in the same way as patched Chromium browsers inside a flatpak, so in theory (assuming all else equal) it could provide a stronger sandbox than Firefox, although I won’t mark this as the solution just yet because it would be good to see if seccompBPF is also used, if anyone is able to confirm if that’s the case?