All of the official Ubuntu repositories (encompassing anything that you can find on archive.ubuntu.com or its mirrors, as well as some others) are entirely curated. This means main, restricted, universe, multiverse, as well as -updates and -security. All packages in there have either come from Debian (and so have been uploaded by a Debian Developer) or have been uploaded by an Ubuntu developer; in both cases the package that is uploaded is authenticated by the gpg signature of the uploader.
You can therefore trust that every package in the official archives has been uploaded by either a Debian or Ubuntu developer. Furthermore, the packages you download can be verified by the gpg signatures on the files in the repository, so you can trust that each package you download has been built on the Ubuntu build farm from the source that was uploaded by an Ubuntu or Debian developer¹.
This makes outright malware unlikely - someone in a position of trust would need to upload it, and the upload would be easily tracable to them.
This leaves the question of more surreptitious nefariousness. Upstream developers could put backdoors into otherwise useful software and these could make it into the archive - in universe or multiverse, depending on the license. People do run security audits of the Debian archive, so if this software became popular it's likely that the backdoor would be discovered.
Packages in main have some extra checking and get more love from the Ubuntu security team.
PPAs have almost none of this. The guarantee you get from a PPA is that the packages you download were built on the Ubuntu build infrastructure, and were uploaded by someone with access to one of the GPG keys of the Launchpad account of the listed uploader. There's no guarantee that the uploader is who they say they are - anyone could make a “Google Chrome PPA”. You need to determine trust in some other way for PPAs.
¹: This chain of trust could be broken by an extensive intrusion into the Ubuntu infrastructure, but that's true of any system. The compromise of a developer's gpg key would also allow a black-hat to upload packages to the archive, but since the archive emails the uploader of each package this should be noticed quickly.
from my experience, as an average user I would say you don't have to worry so much about malware on linux than on windows. This might be very different if you are running servers with important content on it.
Since you have to approve anything that could be harmful to your core system (ie. anything that happens outside of /home) by giving your root password malware can't really affect your system settings, unless ofcourse you unknowingly grant them access.
So just stick to the rules...only download executable packages from trusted and/or well reviewed sources and NEVER run wine in sudo mode^^
Regarding the browsers I'd say either one is fine. I've used firefox for 3 years and I am now using Chromium for about a year and a half and I have never had problems with facebook hacks or anything like that.
From a very subjective point of view...I like the user experience with Chromium a little better though.
Best Answer
Yes, but you still will need to execute the script.
Sandboxing prevents your system from automatically executing bad code onto your system. It does not prevent you from executing that code and allowing this script to do things you do not want to happen.