There's "sandboxes" and then there's sandboxes. Native Client uses the latter while ActiveX had barely the former.

It does present a real concern and exposing additional APIs is going to always present increased security risk. That said, having looked a bit at Native Client's sandbox and having examined the findings of the well respected security researchers who examined the sandbox protections, Google's taking a pretty good whack at it and their sandbox itself is fairly sound.

My worry is not with their sandbox, but the additional APIs that they expose with it. (See also: WebGL which now throws your entire GL stack into your web browser as security critical code.)