py2app should support sandboxing
Py2app should have options to add sandboxing to an application. This can be done using the codesign(1) utility using entitlments.
Note: I don't know yet how useful sandboxing is without getting the application signed for AppStore distribution.
Note 2: I also don't know if the AppStore will accept application bundles that were signed outside of Xcode.