I'd add the ability to run Windows binaries in emulators, but they can't access other programs than themselves. If that was a problem, add a phantom disk image so it could see other files that you place in the phantom disk image. Imagine each Windows emulated program saw their own personal c:/ , and it and you can populate it with files.
So... Wine with a new WINEPREFIX for each program?
I figure if the software you download can't get out of the Windows emulator or its own personal filesystem, it can't mess with your OS or the rest of your filesystem. If it can't record your keystrokes unless you have the window actively open, a keylogger can't get you either. The problem is that we probably don't have perfect Windows emulation. Another problem is you have to be able to trust your drivers or that is a possible vector to an attack.
Run Wine in a Docker image? That's pretty well-sandboxed. and easy to set up.