There is build.rs, proc macros are unsandboxed, and lastly you install the binary so that you can run it. Even if the build and install were fully sandboxed, the binary could still do malicious stuff if ran.

It has build.rs that will run as soon as you compile the dependency. That's not the same thing but pretty close to a post install script: it's very likely to run.

They have build.rs (https://doc.rust-lang.org/cargo/reference/build-scripts.html)

It has build.rs, which has essentially the same problems.