Currently Python apps are run without any sort of jail, which makes it possible to access all sorts of things it shouldn't if permissions are not set correctly. cx-freeze, plus copying the few dynamic libs needed by the generated executable, seems to do the trick of letting it run in a chroot jail.
A slight complication is that standard Python modules may need C libraries, so the set of dynamic libs that need to be provided in the jail isn't fixed. Some scripting is probably needed to recursively identify the necessary libraries. Alternatively, bind-mounting /lib, /lib64, /usr/lib and maybe one or two others may be sufficient.