How does Shopify keep its themes sand-boxed?
I come from a WordPress background, and within a WordPress theme you can do basically anything you want with the server, since a theme is just a collection of PHP files which are included into the application's core scripts. I believe this is one of the reasons you can't upload your own theme to use in WordPress.com.
That comes to the question: How exactly does Shopify (and maybe other platform as well) allow its user to upload their own themes and keep them sand-boxed?
Shopify does not allow anyone to actually upload any themes. Shopify (and hosted Wordpress) just allow people to alter the contents of scripts that get executed server-side.
Shopify is smart in that they made the theme templates that users can change safe. You can stick as much dumb-ass, ass-hat crap as you want in your theme, and nothing bad will happen to Shopify itself.
Contrast that with hosting your own Wordpress shop. Any idiot can upload idiotic crap as a theme and successfully break the server. As can any twelve year old script kiddie since PHP is not terribly secure as a scripting language.