The sandbox features are a key feature of J2EE. That is how servlets/webapps/apidujour are isolated from each other. That is how your J2EE app can share a JVM with hundreds of strangers at a hosting facility for lower cost (and lower security) than a Xen/Vmware virtual machine. That is how many people create their own custom multi-app platform to share a JVM that reliably isolates the apps.
Javascript is reasonable in the browser, and has a standard. Flash is an abomination. I let it run only when absolutely necessary (youtube, cough, cough). When I do let it run, it crashes the browser after 20 minutes or so to let me know it's time for bed.
While I agree that they are not as popular, Java applets (for which the sandbox is also key) are much friendlier to the browser, and I trust the Java sandbox a whole lot more than Flash.