Tested on real device that
/etc/passwd is readable inside sandbox. The real threat is not about the passwd. All files in app sandbox will be accessible and http request to any domain is allowed from this context. If sensitive information is not securely stored in KeyChain, attacker will be able to read your BinaryCookies, chat history or other secrets.