There is a big advantage to using result builders, which is that it encodes the structure of the package into the type system at compile time, rather than building it at runtime. @Xi_Ge alludes to what this might mean:
That is – for simple packages made up only of types and constant values, we would no longer need to "run" the manifest in a sandbox. Instead, we could merely compile it and then extract all the information at build time.
More complex use cases will always need the power of running aribitrary code – but chances are this is not needed by many packages, especially many packages people tend to pull down and depend on. When a package needed the ability to run, not just compile, you could then be asked whether you trust it enough to give it this privilege, something you would probably happily grant your own code but not a copy of leftpad you just downloaded.