Chromebooks are locked down yes, but they do give you the keys. It involves unplugging the internal battery to be able to modify the hardware write protection, entering dev mode to disable the write protection, and then flashing a Coreboot port onto the firmware. Even then, a lot of basic things may or may not work once you’re booted into Linux. From experience I don’t recommend.
A compatibility layer like Wine is not a replacement for a true sandbox. Although Wine may have some basic sandboxing capabilities, the default wine configuration grants access to your home directory, which something like ransomware could take advantage of.