I was more thinking if the malicious script calls npm itself, recursively... it could even redefine $PATH again to skip the next call to the bubblewrap wrapper scriptlet. I don't know if bwrap protects from that.
You can't really escape it AFAIK, except by using kernel vulnerabilities. Once you're in the sandbox, you can only call and read/write whatever was available when you entered it.
If you have a Linux system nearby, set it up and run `pnpm bash`, and then walk around the system and look at what you can see and do. (Not much.)
