https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Almeida-Bypassing-the-Secure-Desktop-Protections-Slides.pdf
The idea is just run a keylogger inside the container.
I just found rehips and I am not yet oriented. If there is a technical architecture document that describes the set of likely sandbox escape and sandbox attack defenses then please point me to this kind of document(s).
There are several useful blogposts covering basics, internals and other useful topics. They're all in this post https://forum.rehips.com/index.php?topic=9520.0 I'm sure you'll find a lot of useful stuff there.
When ReHIPS was created, we kept in mind desktop attacks and similar stuff, so it should provide solid protection against them.