Apple unfortunately declared XPC to be a private API on iOS, whereas on macOS it is the foundation for sandboxing custom services.
I found no way to sandbox things beyond the sandboxes provided by iOS extension points (which are mostly XPC under the hood, but with no control options for the app).
Apple makes heavy use of XPC to sandbox iMessage services, but on iOS that remains an Apple-only feature.
A messaging app has almost all the same security concerns as a browser, so the recommendations here apply: https://developer.apple.com/documentation/browserenginekit