Generally app instances (called grains) are isolated and only visible through invitation or special shared links, but apps can also export static files that can be made accessible under custom domains (e.g. a CMS' admin interface is accessed through the sandstorm interface, but the generated page is publicly visible under a custom URL).
Blogging/publishing software that works on Sandstorm
If you're using Sandstorm to host your personal site, add examples below.
- Add yourself here… (see this for more details)
Sandstorm is doing some pretty interesting things under the hood technologically speaking, such as Cap'n Proto which is like protocol buffers, but faster. Ported applications are modified to use Sandstorm's unified login mechanism. Once the user is authorized, applications can speak to other applications running in the same instance using Cap n' Proto.
Though it does not use Docker, Sandstorm containers are based on the same Linux kernel feature (LXC). They attempt to be more secure by "lowering the attack surface" — turning off or restricting access to many kernel features. For example, access to the filesystem is limited to the /var directory.
Applications that are not in use are aggressively spun down to conserve resources, with the intent that many, fine-grained applications could be installed on the same server.
This CenturyLink podcast interview with Kenton Varda contains a good discussion of some of the technical decisions.