Android (since the Lollipop version) is based on NSA's Security Enhanced Linux, which creates one Linux user account per application, keeps application files in a folder owned by that Linux account, and then uses the manifest in the Java archive to request permissions from the user. In older versions of Android, the user would see the requested permissions and decide if the program should be installed or not, resulting in 24/7 notifications if you ever installed a game. In newer Android versions, the user can select which permissions to deny, and then be able to suppress all notifications while still being able to use the mobile application.
Metro was essentially just slower and more limited than traditional applications, for the sake of hardware independence. They were only available for fullscreen mode, but only offered basic office applications where forced fullscreen made no sense and the alternatives already on desktop were much more powerful. The only benefits would be on a Windows Phone, but people who wanted a Windows tablet just bought the Surface Pro and used it as a laptop instead. Then Metro Apps were remade to run in Windowed mode together with other applications, making it a useless emulator for a phone that nobody bought.
Linux handle security by patching security flaws in libraries even if they break backward compatibility. This is possible because the majority of software for Linux is open source and can be patched even if the original developers abandoned it, like how Libre Office replaced Open Office. But the terrible practice of demanding a specific revision of a dynamic library (needed that bug/security fix ASAP), removes the ability to patch things up once the next version arrives just as if the library was linked statically, but while also doubling the pain by having dynamic dependencies. Once other applications demand opposing versions of a shared dynamic library, of which only one can be installed at a time, the older software cannot be installed at the same time as the latest updates of mainstream applications. One needs to either run frequent updates with static linking (for math and GUI stuff), or allow newer minor versions of dynamic libraries with the risk of breaking (hardware or security related).
If you want the safety of sandboxing on Windows, you can just create a new account for running games without administrator access and have another account for banking and work. Even better is to use a removable harddisk for the operating system or find a power cable with a power switch (a bit difficult to solder the modern cables by hand).