CSP/iframe sandbox is meant to host untrusted content (by locking down privildge of the untrusted
content). And powerful APIs such as Service Worker, AppCache, etc are not callable from sandboxed contents. For the same reason, Payment Request API should be disabled in sandxboxed content. If anyone feels that there's a valid use case of Payment Request API in sandbox, then it should be only allowed with "allow-same-origin" keyword (Though I don't think there is such a use case).