torsocks could support ptrace sandboxing

pros:

• 'fixes' SIP, suid, caps
• fixes static binaries

cons:

• kind of a pain to implement
• DNS would require actual parsing, which is apparently a hard problem even for 'minimal' implementations: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html. I think an initial hybrid implementation could punt on this, and it would still fix the ugly hack of hardcoding SIP paths.