[executor] imply sandbox automatically for block-network & tmpfs

[luxe]

If you want to enable block-network or tmpfs on an action, you need to also enable the sandbox.
This is not obvious. If you only enable tmpfs without enabling the sandbox its basically a no op.
Let's honor the user's execution constraint by enabling the sandbox as needed.

This boils down to the following.
Instead of doing something like this:

--remote_default_exec_properties='linux-sandbox=true'
--remote_default_exec_properties='block-network=true'

or

exec_properties = {"linux-sandbox": "True", "block-network": "True"},

You will only need to do this:

--remote_default_exec_properties='block-network=true'

or

exec_properties = {"block-network": "True"},

sandbox will be implied for you.
sandbox is still disabled by default because block-network and tmpfs are also disabled by default.