Forms injected with qRules or that have custom code can be published as sandboxed in SharePoint 2010, if your SharePoint install has sandbox enabled.
However, we are seeing that forms that have a loading event (either from the injected qRules DLL or in the custom code) appear to run under the service account when they first open. This means that a web service returning Active Directory info (like DBXL) may not return the expected results, if any, if the data connection is set to execute when the form loads.
Setting a rule to execute the data connection when the qRules finishedLoading node is set to true (after qRules finishes initializing) also appears to be running under the service account.
Executing the data connection after the form is completely open appears to run under the actual user account - rules could be set to run on the change of another field if GetMyInfo data is needed.
This also means that a SharePoint web service, like UpdateListItems, will use the same service account. So a sandboxed qRules form that is using the SubmitToSharePointList command will show submitted list items as having been created or modified by the service account.
To work around this, you can continue to admin approve your qRules templates. Admin approved forms make web service calls with the credentials of the logged in user.