When xpcshell tests create content processes, the security.sandbox.content.level pref reads as 0, because it's set in browser/app/profile/firefox.js, which xpcshell doesn't use. Usually this means the content processes aren't sandboxed. I think it would make more sense for xpcshell to do the same thing as the browser, here. I'm not as sure about changing it across the board, because I don't know how much other embeddings do things that would affect the content process's interaction with the sandbox (e.g., if they load frame scripts that do unexpected things). This may cause regressions. For example, once I land bug 1358647, there's at least one xpcshell test that will break on Linux when it tries to load httpd.js in a content process and XHR it (in fact, if there's any platform where it *doesn't* break, then that's a deficiency in the sandbox and bugs should be filed).
Sandboxing is now explicitly disabled in bug 1370438.