That's an oxymoron. Apart from having a dedicated device, you can't really sandbox the app since it requires basic permissions to function that give access to core phone functions. See https://reports.exodus-privacy.eu.org/en/reports/com.tencent.mm/latest/
You can try to limit permissions of some features that you don't intend to use.