It's fine as long as both exist and third parties are not allowed to know which one you're running.

Otherwise, you have banks and MAFIAA and others off-loading their own security and compliance costs to users by flat out discriminating based on the status of the sandbox.

Exactly. We won't have "hardware integrity" and other such freedom-limiting factors going the way of the dodo anytime soon if we keep handing the organizations trying to estabilish those systems ourselves lubed and ready to go.