Obviously if you give all sandboxed processes access to /, that doesn't improve anything.

The idea is that you'd notice that your new git binary is trying to get access to /var/postgres, and you'd deny it, because it has no reason to want that.