Fingerprinting requires sending information back to the mothership. If we got javascript that was sandboxed from making web requests, then it could have access to whatever private data it wanted without entailing a privacy risk.
The web has so many vectors for exfiltrating data that it seems hard to come up with a js sandbox that is both useful and cannot leak data. Any DOM write access whatsoever allows you to do things like update link targets to include the private data or manipulate the DOM in ways that can be read by unsandboxed script. Even wothout considering timing attacks I'm unconvinced that there's a way forward that involves trying to separate js with permission to read system state from the network.
